SlideShare a Scribd company logo

Chapter 09 security_management_practices

Download as DOCX, PDF
H
husseinalshomali

This document provides a summary of key concepts relating to security management practices, including definitions of terms like accreditation, certification, benchmarking, baselining, recommended practices, best practices, standards of due care, and performance measurements. It also describes NIST SP 800-37 as a common risk management framework that takes a three-tiered approach focusing first on organizational aspects, then business processes, and finally information systems. The document quizzes readers with multiple choice questions to test their understanding of these security management terms and processes.

1 of 8
Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 1 1. Using a practice called baselining, you are able to develop policy based on the typical practices of the industry in which you are working. a. True b. False ANSWER: False 2. A company striving for ‘best security practices’ makes every effort to establish security program elements that meet every minimum standard in their industry. a. True b. False ANSWER: False 3. One question you should ask when choosing among recommended practices is “Can your organization afford to implement the recommended practice?” a. True b. False ANSWER: True 4. Performance measurements are seldom required in today’s regulated InfoSec environment. a. True b. False ANSWER: False 5. Attaining certification in security management is a long and difficult process, but once attained, an organization remains certified for the life of the organization. a. True b. False ANSWER: False 6. One of the critical tasks in the measurement process is to assess and quantify what will be measured and how it is measured. ____________ ANSWER: True 7. The biggest barrier to baselining in InfoSec is the fact that many organizations do not share warnings with other organizations. ____________ ANSWER: False - benchmarking 8. A comprehensive assessment of a system’s technical and nontechnical protection strategies, as specified by a particular set of requirements is known as accreditation. ____________ ANSWER: False - certification 9. Standardization is an an attempt to improve information security practices by comparing an organization’s efforts against those of a similar organization or an industry-developed standard to produce results it would like to duplicate. ____________ ANSWER: False - Benchmarking
Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 2 10. The authorization by an oversight authority of an IT system to process, store, or transmit information is known as certification. ____________ ANSWER: False - accreditation 11. Recommended practices are those security efforts that seek to provide a superior level of performance in the protection of information. ____________ ANSWER: True 12. A performance measure is an an assessment of the performance of some action or process against which future performance is assessed. _____________ ANSWER: False - baseline 13. A standard of due process is a legal standard that requires an organization and its employees to act as a “reasonable and prudent” individual or organization would under similar circumstances. ____________ ANSWER: False - care 14. Data or the trends in data that may indicate the effectiveness of security countermeasures or controls—technical and managerial—implemented in the organization are known as program measurements. ____________ ANSWER: False - performance 15. Creating a blueprint by looking at the paths taken by organizations similar to the one whose plan you are developing is known as which of the following? a. benchmarking b. best practices c. baselining d. due diligence ANSWER: a 16. Which of the following is a possible result of failure to establish and maintain standards of due care and due diligence? a. Baselining b. Legal liability c. Competitive disadvantage d. Certification revocation ANSWER: b 17. Which of the following is NOT a consideration when selecting recommended best practices? a. Threat environment is similar b. Resource expenditures are practical c. Organization structure is similar d. Same certification and accreditation agency or standard ANSWER: d 18. What are the legal requirements that an organization adopt a standard based on what a prudent organization should do, and then maintain that standard? a. Certification and accreditation b. Best practices c. Due care and due diligence d. Baselining and benchmarking ANSWER: c 19. Problems with benchmarking include all but which of the following? a. Organizations don’t often share information on successfulattacks b. Organizations being benchmarked are seldom identical
Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 3 c. Recommended practices change and evolve, thus past performance is no indicator of future success d. Benchmarking doesn’t help in determining the desired outcome of the security process ANSWER: d 20. Which of the following is NOT a question to be used as a self-assessment for recommended security practices in the category of people? a. Do you perform background checks on all employees with access to sensitive data, areas, or access points? b. Are the user accounts of former employees immediately removed on termination? c. Would the typical employee recognize a security issue? d. Would the typical employee know how to report a security issue to the right people? ANSWER: b 21. Which of the following terms is described as the process of designing, implementing, and managing the use of the collected data elements to determine the effectiveness of the overall security program? a. Performance management b. Baselining c. Best practices d. Standards of due care/diligence ANSWER: a 22. Which of the following is NOT one of the three types of performance measures used by organizations? a. Those that determine the effectiveness of the execution of InfoSec policy b. Those that determine the effectiveness and/or efficiency of the delivery of InfoSec services c. Those that evaluate the compliance of non-security personnel in adhering to InfoSec policy d. Those that assess the impact of an incident or other security event on the organization or its mission ANSWER: c 23. Organizations must consider all but which of the following during development and implementation of an InfoSec measurement program? a. Measurements must yield quantifiable information b. Data that supports the measures needs to be readily obtainable c. Only repeatable InfoSec processes should be considered for measurement d. Measurements must be useful for tracking non-compliance by internal personnel ANSWER: d 24. Which of the following is NOT a factor critical to the success of an information security performance program? a. Strong upper level management support b. High level of employee buy-in c. Quantifiable performance measurements d. Results oriented measurement analysis ANSWER: b 25. Which of the following is NOT a question a CISO should be prepared to answer, about a performance measures program, according to Kovacich? a. Why should these measurements be collected?
Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 4 b. Where will these measurements be collected? c. What affect will measurement collection have on efficiency? d. Who will collect these measurements? ANSWER: c 26. The InfoSec measurement development process recommended by NIST is is divided into two major activities. Which of the following is one of them? a. Regularly monitor and test networks b. Identification and definition of the current InfoSec program c. Maintain a vulnerability management program d. Compare organizational practices against organizations of similar characteristics ANSWER: b 27. InfoSec measurements collected from production statistics depend greatly on which of the following factors? a. Types of performance measures developed b. Number of systems and users of those systems c. Number of monitored threats and attacks d. Activities and goals implemented by the business unit ANSWER: b 28. Which of the following InfoSec measurement specifications makes it possible to define success in the security program? a. Development approach b. Establishing targets c. Prioritization and selection d. Measurements templates ANSWER: b 29. Which of the following is the first phase in the NIST process for performance measurement implementation? a. Develop the business case b. Obtain resources c. Prepare for data collection d. Identify corrective actions ANSWER: c 30. Which of the following is the last phase in the NIST process for performance measures implementation? a. Apply corrective actions b. Obtain resources c. Document the process d. Develop the business case ANSWER: a 31. In security management, which of the following is issued by a management official and serves as a means of assuring that systems are of adequate quality? a. Accreditation b. Certification c. Performance measurement d. Testimonial ANSWER: a 32. Which of the following is Tier 3 (indicating environment of operation) of the tiered risk management approach? a. Mission/business process b. Information system c. Accounting/logistics
Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 5 d. Organization ANSWER: b 33. According to NIST SP 800-37, which of the following is the first step in the security controls selection process? a. Categorize the information system and the information processed b. Select an initial set of baseline security controls c. Assess the security controls using appropriate assessment procedures d. Authorize information system operation based on risk determination ANSWER: a 34. The Authorize step of the NIST six-step approach to the risk management framework involves all but which of the following tasks? a. Prepare the plan of action and develop milestones b. Assemble the security authorization package c. Determine if the cost/benefit ratio is acceptable d. Determine the risk to organizational operations ANSWER: c 35. Best security practices balance the need for user _____________ to information with the need for adequate protection while simultaneously demonstrating fiscal responsibility. ANSWER: access 36. A practice related to benchmarking is ____________, which is a measurement against a prior assessment or an internal goal. ANSWER: baselining baseline 37. ____________________ encompasses a requirement that the implemented standards continue to provide the required level of protection. ANSWER: due diligence 38. A goal of 100 percent employee InfoSec training as an objective for the training program is an example of a performance __________. ANSWER: target measure metric 39. The last phase in the NIST performance measures implementation process is to apply ______________ actions which closes the gap found in Phase 2. ANSWER: corrective 40. When choosing from among recommended practices, an organization should consider a number of questions. List four. ANSWER: Does your organization resemble the target organization of the recommended practice? Are you in a similar industry as the target of the recommended practice? Do you face similar challenges as the target of the recommended practice? Is your organizational structure similar to the target of the recommended practice? Can your organization expend resources at the level required by the recommended practice? Is your threat environment similar to the one assumed by the recommended practice?
Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 6 41. List the four factors critical to the success of an InfoSec performance program, according to NIST SP 800-55, Rev. 1. ANSWER: Strong upper level management support PracticalInfoSec policies and procedures Quantifiable performance measurements Results oriented measurement analysis 42. Before beginning the process of designing, collecting, and using measures, the CISO should be prepared to answer the following questions posed by Kovacich. List four of these questions. ANSWER: Why should these statistics be collected? What specific statistics will be collected? How will these statistics be collected? When will these statistics be collected? Who will collect these statistics? Where (at what point in the function’s process) will these statistics be collected? 43. The process of implementing a performance measures program recommended by NIST involves six phases. List and describe them. ANSWER: Phase 1: Prepare for data collection; identify, define, develop, and select information security measures. Phase 2: Collect data and analyze results; collect, aggregate, and consolidate metric data collection and compare measurements with targets (gap analysis). Phase 3: Identify corrective actions; develop a plan to serve as the roadmap for closing the gap identified in phase 2. This includes determining the range of corrective actions, prioritizing corrective actions based on overall risk mitigation goals, and selecting the most appropriate corrective actions. Phases 4: Develop the business case. Phase 5: Obtain resources; address the budgeting cycle for acquiring resources needed to implement remediation actions identified in phase 3. Phase 6: Apply corrective actions; close the gap by implementing the recommended corrective actions in the security program or in the security controls. 44. What are the two major activities into which the InfoSec measurement development process recommended by NIST is divided? ANSWER: 1. Identification and definition of the current InfoSec program 2. Development and selection of specific measurements to gauge the implementation, effectiveness, efficiency, and impact of the security controls 45. On what do measurements collected from production statistics greatly depend? Explain your answer. ANSWER: Measurements collected from production statistics depend greatly on the number of systems and the number of users of those systems. As the number of systems changes and/or the number of users of those systems changes, the effort to maintain the same level of service will vary. 46. Why it measurement prioritization and selection important? How can it be achieved? ANSWER: Because organizations seem to better manage what they measure, it is important to ensure that individual metrics are prioritized in the same manner as the processes that they measure. This can be achieved with a simple low-, medium-, or high-priority ranking system or a weighted scale approach, which would involve assigning values to each measurement based on its importance in the context of the overall InfoSec program and in the overall risk-mitigation goals and criticality of the systems. 47. Why must you do more than simply list the InfoSec measurements collected when reporting them? Explain. ANSWER: In most cases, simply listing the measurements collected does not adequately convey their meaning. For example, a line chart showing the number of malicious code attacks occurring per day may communicate a
Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 7 basic fact, but unless the reporting mechanism can provide the context —for example, the number of new malicious code variants on the Internet in that time period—the measurement will not serve its intended purpose. In addition, you must make decisions about how to present correlated metrics - whether to use pie, line, bar, or scatter charts, and which colors denote which kinds of results. 48. Compare and contrast accreditation and certification. ANSWER: In security management, accreditation is the authorization of an IT system to process, store, or transmit information. Accreditation is issued by a management official and serves as a means of assuring that systems are of adequate quality. It also challenges managers and technical staff to find the best methods to assure security, given technical constraints, operational constraints, and mission requirements. Certification is a comprehensive assessment of both technical and nontechnical protection strategies for a particular system, as specified by a particular set of requirements. Thus, while systems may be certified as meeting a specific set of criteria—like the PCI DSS—they must be accredited (or approved by an appropriate authority) before being allowed to process a specific set of information (such as classified documents) at an acceptable level of risk. 49. Describe the three tier approach of the RMF as defined by NIST SP 800-37. ANSWER: NIST follows a three-tiered approach to risk management. Most organizations work from the top down, focusing first on aspects affecting the entire organization, such as governance (tier 1). Then, after the more strategic issues are addressed, they move toward more tactical issues around business processes (tier 2). The most detailed aspects are addressed in tier 3, dealing with information systems. a. accreditation b. baseline c. benchmarking d. certification e. due diligence f. best security practices g. recommended business practices h. standard of due care i. performance measurements j. NIST SP 800-37 50. The actions that demonstrate that an organization has made a valid effort to protect others a requirement and that the implemented standards continue to provide the required level of protection. ANSWER: e 51. The authorization of an IT system to process, store, or transmit information. ANSWER: a 52. A legal standard that requires an organization and its employees to act as a reasonable and prudent individual or organization would under similar circumstances. ANSWER: h 53. Those security efforts that are considered among the best in the industry. ANSWER: f
Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 8 54. A comprehensive assessment of a system’s technical and nontechnical protection strategies, as specified by a particular set of requirements. ANSWER: d 55. The data or the trends in data that may indicate the effectiveness of security countermeasures or controls—technical and managerial—implemented in the organization. ANSWER: i 56. A common approach to a Risk Management Framework (RMF) for InfoSec practice. ANSWER: j 57. An attempt to improve information security practices by comparing an organization’s efforts against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate. ANSWER: c 58. Those procedures that provide a superior level of security for an organization’s information. ANSWER: g 59. An assessment of the performance of some action or process against which future performance is assessed. ANSWER: b

Recommended

Chapter 10 planning_for_contingencies
Chapter 10 planning_for_contingenciesChapter 10 planning_for_contingencies
Chapter 10 planning_for_contingencies
husseinalshomali
 
Chapter 07 risk_management_controlling_risk
Chapter 07 risk_management_controlling_riskChapter 07 risk_management_controlling_risk
Chapter 07 risk_management_controlling_risk
husseinalshomali
 
Chapter 04 information_security_policy
Chapter 04 information_security_policyChapter 04 information_security_policy
Chapter 04 information_security_policy
husseinalshomali
 
Chapter 06 risk_management_identifying_and_assessing_risk
Chapter 06 risk_management_identifying_and_assessing_riskChapter 06 risk_management_identifying_and_assessing_risk
Chapter 06 risk_management_identifying_and_assessing_risk
husseinalshomali
 
Chapter 08 security_management_models
Chapter 08 security_management_modelsChapter 08 security_management_models
Chapter 08 security_management_models
husseinalshomali
 
Chapter 12 protection_mechanisms
Chapter 12 protection_mechanismsChapter 12 protection_mechanisms
Chapter 12 protection_mechanisms
husseinalshomali
 
Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...
Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...
Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...
husseinalshomali
 
Chapter 11 personnel_and_security
Chapter 11 personnel_and_securityChapter 11 personnel_and_security
Chapter 11 personnel_and_security
husseinalshomali
 

Recommended

Chapter 10 planning_for_contingencies
Chapter 10 planning_for_contingenciesChapter 10 planning_for_contingencies
Chapter 10 planning_for_contingencies
husseinalshomali
 
Chapter 07 risk_management_controlling_risk
Chapter 07 risk_management_controlling_riskChapter 07 risk_management_controlling_risk
Chapter 07 risk_management_controlling_risk
husseinalshomali
 
Chapter 04 information_security_policy
Chapter 04 information_security_policyChapter 04 information_security_policy
Chapter 04 information_security_policy
husseinalshomali
 
Chapter 06 risk_management_identifying_and_assessing_risk
Chapter 06 risk_management_identifying_and_assessing_riskChapter 06 risk_management_identifying_and_assessing_risk
Chapter 06 risk_management_identifying_and_assessing_risk
husseinalshomali
 
Chapter 08 security_management_models
Chapter 08 security_management_modelsChapter 08 security_management_models
Chapter 08 security_management_models
husseinalshomali
 
Chapter 12 protection_mechanisms
Chapter 12 protection_mechanismsChapter 12 protection_mechanisms
Chapter 12 protection_mechanisms
husseinalshomali
 
Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...
Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...
Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...
husseinalshomali
 
Chapter 11 personnel_and_security
Chapter 11 personnel_and_securityChapter 11 personnel_and_security
Chapter 11 personnel_and_security
husseinalshomali
 
Chapter 05 developing_the_security_program
Chapter 05 developing_the_security_programChapter 05 developing_the_security_program
Chapter 05 developing_the_security_program
husseinalshomali
 
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Editiontest bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
husseinalshomali
 
Chapter 03 governance_and_strategic_planning_for_security
Chapter 03 governance_and_strategic_planning_for_securityChapter 03 governance_and_strategic_planning_for_security
Chapter 03 governance_and_strategic_planning_for_security
husseinalshomali
 
vCIO vCISO - Information Technology and Security Strategy.pptx
vCIO vCISO - Information Technology and Security Strategy.pptxvCIO vCISO - Information Technology and Security Strategy.pptx
vCIO vCISO - Information Technology and Security Strategy.pptx
Art Ocain
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
Security and personnel
Security and personnelSecurity and personnel
Security and personnel
Dhani Ahmad
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
PECB
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness Training
Denis kisina
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security Controls
BSides Delhi
 
Sad quiz
Sad quizSad quiz
Sad quizDr. C.V. Suresh Babu
 
VIRTUAL CISO AND OTHER KEY CYBER ROLES
VIRTUAL CISO AND OTHER KEY CYBER ROLESVIRTUAL CISO AND OTHER KEY CYBER ROLES
VIRTUAL CISO AND OTHER KEY CYBER ROLES
Sylvain Martinez
 
The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...
Aladdin Dandis
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.ppt
Faheem Ul Hasan
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
Invensis Learning
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
Maganathin Veeraragaloo
 
The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information Security
PECB
 
5.MOCKBOARD_IN_CRIMINALISTICS.ppt
5.MOCKBOARD_IN_CRIMINALISTICS.ppt5.MOCKBOARD_IN_CRIMINALISTICS.ppt
5.MOCKBOARD_IN_CRIMINALISTICS.ppt
ArhakirAlpapara
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
Sibghatullah Khattak
 
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdfSECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
JohnRicos
 
DISA 3-qbank with exp.docx
DISA 3-qbank with exp.docxDISA 3-qbank with exp.docx
DISA 3-qbank with exp.docx
CAVEDPRAKASHPALIWAL
 

More Related Content

What's hot

Chapter 05 developing_the_security_program
Chapter 05 developing_the_security_programChapter 05 developing_the_security_program
Chapter 05 developing_the_security_program
husseinalshomali
 
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Editiontest bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
husseinalshomali
 
Chapter 03 governance_and_strategic_planning_for_security
Chapter 03 governance_and_strategic_planning_for_securityChapter 03 governance_and_strategic_planning_for_security
Chapter 03 governance_and_strategic_planning_for_security
husseinalshomali
 
vCIO vCISO - Information Technology and Security Strategy.pptx
vCIO vCISO - Information Technology and Security Strategy.pptxvCIO vCISO - Information Technology and Security Strategy.pptx
vCIO vCISO - Information Technology and Security Strategy.pptx
Art Ocain
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
Security and personnel
Security and personnelSecurity and personnel
Security and personnel
Dhani Ahmad
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
PECB
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness Training
Denis kisina
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security Controls
BSides Delhi
 
VIRTUAL CISO AND OTHER KEY CYBER ROLES
VIRTUAL CISO AND OTHER KEY CYBER ROLESVIRTUAL CISO AND OTHER KEY CYBER ROLES
VIRTUAL CISO AND OTHER KEY CYBER ROLES
Sylvain Martinez
 
The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...
Aladdin Dandis
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.ppt
Faheem Ul Hasan
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
Invensis Learning
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
Maganathin Veeraragaloo
 
The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information Security
PECB
 
5.MOCKBOARD_IN_CRIMINALISTICS.ppt
5.MOCKBOARD_IN_CRIMINALISTICS.ppt5.MOCKBOARD_IN_CRIMINALISTICS.ppt
5.MOCKBOARD_IN_CRIMINALISTICS.ppt
ArhakirAlpapara
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
Sibghatullah Khattak
 

What's hot (20)

Chapter 05 developing_the_security_program
Chapter 05 developing_the_security_programChapter 05 developing_the_security_program
Chapter 05 developing_the_security_program
 
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Editiontest bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
 
Chapter 03 governance_and_strategic_planning_for_security
Chapter 03 governance_and_strategic_planning_for_securityChapter 03 governance_and_strategic_planning_for_security
Chapter 03 governance_and_strategic_planning_for_security
 
vCIO vCISO - Information Technology and Security Strategy.pptx
vCIO vCISO - Information Technology and Security Strategy.pptxvCIO vCISO - Information Technology and Security Strategy.pptx
vCIO vCISO - Information Technology and Security Strategy.pptx
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
Security and personnel
Security and personnelSecurity and personnel
Security and personnel
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness Training
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security Controls
 
Sad quiz
Sad quizSad quiz
Sad quiz
 
VIRTUAL CISO AND OTHER KEY CYBER ROLES
VIRTUAL CISO AND OTHER KEY CYBER ROLESVIRTUAL CISO AND OTHER KEY CYBER ROLES
VIRTUAL CISO AND OTHER KEY CYBER ROLES
 
The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.ppt
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
 
The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information Security
 
5.MOCKBOARD_IN_CRIMINALISTICS.ppt
5.MOCKBOARD_IN_CRIMINALISTICS.ppt5.MOCKBOARD_IN_CRIMINALISTICS.ppt
5.MOCKBOARD_IN_CRIMINALISTICS.ppt
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
 

Similar to Chapter 09 security_management_practices

SECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdfSECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
JohnRicos
 
DISA 3-qbank with exp.docx
DISA 3-qbank with exp.docxDISA 3-qbank with exp.docx
DISA 3-qbank with exp.docx
CAVEDPRAKASHPALIWAL
 
DISA 3-qbank with exp.docx
DISA 3-qbank with exp.docxDISA 3-qbank with exp.docx
DISA 3-qbank with exp.docx
CAVEDPRAKASHPALIWAL
 
Econ 421Subsidies Problem SetSpring 20151. Suppose low-in.docx
Econ 421Subsidies Problem SetSpring 20151. Suppose low-in.docxEcon 421Subsidies Problem SetSpring 20151. Suppose low-in.docx
Econ 421Subsidies Problem SetSpring 20151. Suppose low-in.docx
jack60216
 
Practical Measures for Measuring Security
Practical Measures for Measuring SecurityPractical Measures for Measuring Security
Practical Measures for Measuring Security
Chris Mullins
 
Key Concepts And Principles Of Internal Quality Assurance...
Key Concepts And Principles Of Internal Quality Assurance...Key Concepts And Principles Of Internal Quality Assurance...
Key Concepts And Principles Of Internal Quality Assurance...
Lanate Drummond
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security program
abdulkhalid murady
 
CISA exam 100 practice question
CISA exam 100 practice questionCISA exam 100 practice question
CISA exam 100 practice question
Arshad A Javed
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification Solutions
Arun Prabhakar
 
Cisa exam mock test questions-1
Cisa exam mock test questions-1Cisa exam mock test questions-1
Cisa exam mock test questions-1
Hemang Doshi
 
Enhancing Incident Prevention and Performance with Process Safety Metrics
Enhancing Incident Prevention and Performance with Process Safety MetricsEnhancing Incident Prevention and Performance with Process Safety Metrics
Enhancing Incident Prevention and Performance with Process Safety Metrics
soginsider
 
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
CompTIA
 
Ctfl 001 q&a-demo-exam-area
Ctfl 001 q&a-demo-exam-areaCtfl 001 q&a-demo-exam-area
Ctfl 001 q&a-demo-exam-area
SamanthaGreen16
 
module_1.pptx
module_1.pptxmodule_1.pptx
module_1.pptx
ssuser432862
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management Workshop
Stacy Willis
 
Meeting the Cybersecurity Skills Challenge with CompTIA Security+
Meeting the Cybersecurity Skills Challenge with CompTIA Security+Meeting the Cybersecurity Skills Challenge with CompTIA Security+
Meeting the Cybersecurity Skills Challenge with CompTIA Security+
CompTIA
 
Applying Lean for information security operations centre
Applying Lean for information security operations centreApplying Lean for information security operations centre
Applying Lean for information security operations centre
Naushad Rajani. - CISA, CISSP, CCSP, PMP, DCPP (Privacy)
 
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
CompTIA
 

Similar to Chapter 09 security_management_practices (20)

SECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdfSECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
 
DISA 3-qbank with exp.docx
DISA 3-qbank with exp.docxDISA 3-qbank with exp.docx
DISA 3-qbank with exp.docx
 
DISA 3-qbank with exp.docx
DISA 3-qbank with exp.docxDISA 3-qbank with exp.docx
DISA 3-qbank with exp.docx
 
Econ 421Subsidies Problem SetSpring 20151. Suppose low-in.docx
Econ 421Subsidies Problem SetSpring 20151. Suppose low-in.docxEcon 421Subsidies Problem SetSpring 20151. Suppose low-in.docx
Econ 421Subsidies Problem SetSpring 20151. Suppose low-in.docx
 
Practical Measures for Measuring Security
Practical Measures for Measuring SecurityPractical Measures for Measuring Security
Practical Measures for Measuring Security
 
Key Concepts And Principles Of Internal Quality Assurance...
Key Concepts And Principles Of Internal Quality Assurance...Key Concepts And Principles Of Internal Quality Assurance...
Key Concepts And Principles Of Internal Quality Assurance...
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security program
 
Quality - An Introduction-170715
Quality - An Introduction-170715Quality - An Introduction-170715
Quality - An Introduction-170715
 
CISA exam 100 practice question
CISA exam 100 practice questionCISA exam 100 practice question
CISA exam 100 practice question
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification Solutions
 
000 013
000 013000 013
000 013
 
Cisa exam mock test questions-1
Cisa exam mock test questions-1Cisa exam mock test questions-1
Cisa exam mock test questions-1
 
Enhancing Incident Prevention and Performance with Process Safety Metrics
Enhancing Incident Prevention and Performance with Process Safety MetricsEnhancing Incident Prevention and Performance with Process Safety Metrics
Enhancing Incident Prevention and Performance with Process Safety Metrics
 
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
 
Ctfl 001 q&a-demo-exam-area
Ctfl 001 q&a-demo-exam-areaCtfl 001 q&a-demo-exam-area
Ctfl 001 q&a-demo-exam-area
 
module_1.pptx
module_1.pptxmodule_1.pptx
module_1.pptx
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management Workshop
 
Meeting the Cybersecurity Skills Challenge with CompTIA Security+
Meeting the Cybersecurity Skills Challenge with CompTIA Security+Meeting the Cybersecurity Skills Challenge with CompTIA Security+
Meeting the Cybersecurity Skills Challenge with CompTIA Security+
 
Applying Lean for information security operations centre
Applying Lean for information security operations centreApplying Lean for information security operations centre
Applying Lean for information security operations centre
 
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
 

Recently uploaded

When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 

Recently uploaded (20)

When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 

Chapter 09 security_management_practices

  • 1. Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 1 1. Using a practice called baselining, you are able to develop policy based on the typical practices of the industry in which you are working. a. True b. False ANSWER: False 2. A company striving for ‘best security practices’ makes every effort to establish security program elements that meet every minimum standard in their industry. a. True b. False ANSWER: False 3. One question you should ask when choosing among recommended practices is “Can your organization afford to implement the recommended practice?” a. True b. False ANSWER: True 4. Performance measurements are seldom required in today’s regulated InfoSec environment. a. True b. False ANSWER: False 5. Attaining certification in security management is a long and difficult process, but once attained, an organization remains certified for the life of the organization. a. True b. False ANSWER: False 6. One of the critical tasks in the measurement process is to assess and quantify what will be measured and how it is measured. ____________ ANSWER: True 7. The biggest barrier to baselining in InfoSec is the fact that many organizations do not share warnings with other organizations. ____________ ANSWER: False - benchmarking 8. A comprehensive assessment of a system’s technical and nontechnical protection strategies, as specified by a particular set of requirements is known as accreditation. ____________ ANSWER: False - certification 9. Standardization is an an attempt to improve information security practices by comparing an organization’s efforts against those of a similar organization or an industry-developed standard to produce results it would like to duplicate. ____________ ANSWER: False - Benchmarking
  • 2. Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 2 10. The authorization by an oversight authority of an IT system to process, store, or transmit information is known as certification. ____________ ANSWER: False - accreditation 11. Recommended practices are those security efforts that seek to provide a superior level of performance in the protection of information. ____________ ANSWER: True 12. A performance measure is an an assessment of the performance of some action or process against which future performance is assessed. _____________ ANSWER: False - baseline 13. A standard of due process is a legal standard that requires an organization and its employees to act as a “reasonable and prudent” individual or organization would under similar circumstances. ____________ ANSWER: False - care 14. Data or the trends in data that may indicate the effectiveness of security countermeasures or controls—technical and managerial—implemented in the organization are known as program measurements. ____________ ANSWER: False - performance 15. Creating a blueprint by looking at the paths taken by organizations similar to the one whose plan you are developing is known as which of the following? a. benchmarking b. best practices c. baselining d. due diligence ANSWER: a 16. Which of the following is a possible result of failure to establish and maintain standards of due care and due diligence? a. Baselining b. Legal liability c. Competitive disadvantage d. Certification revocation ANSWER: b 17. Which of the following is NOT a consideration when selecting recommended best practices? a. Threat environment is similar b. Resource expenditures are practical c. Organization structure is similar d. Same certification and accreditation agency or standard ANSWER: d 18. What are the legal requirements that an organization adopt a standard based on what a prudent organization should do, and then maintain that standard? a. Certification and accreditation b. Best practices c. Due care and due diligence d. Baselining and benchmarking ANSWER: c 19. Problems with benchmarking include all but which of the following? a. Organizations don’t often share information on successfulattacks b. Organizations being benchmarked are seldom identical
  • 3. Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 3 c. Recommended practices change and evolve, thus past performance is no indicator of future success d. Benchmarking doesn’t help in determining the desired outcome of the security process ANSWER: d 20. Which of the following is NOT a question to be used as a self-assessment for recommended security practices in the category of people? a. Do you perform background checks on all employees with access to sensitive data, areas, or access points? b. Are the user accounts of former employees immediately removed on termination? c. Would the typical employee recognize a security issue? d. Would the typical employee know how to report a security issue to the right people? ANSWER: b 21. Which of the following terms is described as the process of designing, implementing, and managing the use of the collected data elements to determine the effectiveness of the overall security program? a. Performance management b. Baselining c. Best practices d. Standards of due care/diligence ANSWER: a 22. Which of the following is NOT one of the three types of performance measures used by organizations? a. Those that determine the effectiveness of the execution of InfoSec policy b. Those that determine the effectiveness and/or efficiency of the delivery of InfoSec services c. Those that evaluate the compliance of non-security personnel in adhering to InfoSec policy d. Those that assess the impact of an incident or other security event on the organization or its mission ANSWER: c 23. Organizations must consider all but which of the following during development and implementation of an InfoSec measurement program? a. Measurements must yield quantifiable information b. Data that supports the measures needs to be readily obtainable c. Only repeatable InfoSec processes should be considered for measurement d. Measurements must be useful for tracking non-compliance by internal personnel ANSWER: d 24. Which of the following is NOT a factor critical to the success of an information security performance program? a. Strong upper level management support b. High level of employee buy-in c. Quantifiable performance measurements d. Results oriented measurement analysis ANSWER: b 25. Which of the following is NOT a question a CISO should be prepared to answer, about a performance measures program, according to Kovacich? a. Why should these measurements be collected?
  • 4. Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 4 b. Where will these measurements be collected? c. What affect will measurement collection have on efficiency? d. Who will collect these measurements? ANSWER: c 26. The InfoSec measurement development process recommended by NIST is is divided into two major activities. Which of the following is one of them? a. Regularly monitor and test networks b. Identification and definition of the current InfoSec program c. Maintain a vulnerability management program d. Compare organizational practices against organizations of similar characteristics ANSWER: b 27. InfoSec measurements collected from production statistics depend greatly on which of the following factors? a. Types of performance measures developed b. Number of systems and users of those systems c. Number of monitored threats and attacks d. Activities and goals implemented by the business unit ANSWER: b 28. Which of the following InfoSec measurement specifications makes it possible to define success in the security program? a. Development approach b. Establishing targets c. Prioritization and selection d. Measurements templates ANSWER: b 29. Which of the following is the first phase in the NIST process for performance measurement implementation? a. Develop the business case b. Obtain resources c. Prepare for data collection d. Identify corrective actions ANSWER: c 30. Which of the following is the last phase in the NIST process for performance measures implementation? a. Apply corrective actions b. Obtain resources c. Document the process d. Develop the business case ANSWER: a 31. In security management, which of the following is issued by a management official and serves as a means of assuring that systems are of adequate quality? a. Accreditation b. Certification c. Performance measurement d. Testimonial ANSWER: a 32. Which of the following is Tier 3 (indicating environment of operation) of the tiered risk management approach? a. Mission/business process b. Information system c. Accounting/logistics
  • 5. Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 5 d. Organization ANSWER: b 33. According to NIST SP 800-37, which of the following is the first step in the security controls selection process? a. Categorize the information system and the information processed b. Select an initial set of baseline security controls c. Assess the security controls using appropriate assessment procedures d. Authorize information system operation based on risk determination ANSWER: a 34. The Authorize step of the NIST six-step approach to the risk management framework involves all but which of the following tasks? a. Prepare the plan of action and develop milestones b. Assemble the security authorization package c. Determine if the cost/benefit ratio is acceptable d. Determine the risk to organizational operations ANSWER: c 35. Best security practices balance the need for user _____________ to information with the need for adequate protection while simultaneously demonstrating fiscal responsibility. ANSWER: access 36. A practice related to benchmarking is ____________, which is a measurement against a prior assessment or an internal goal. ANSWER: baselining baseline 37. ____________________ encompasses a requirement that the implemented standards continue to provide the required level of protection. ANSWER: due diligence 38. A goal of 100 percent employee InfoSec training as an objective for the training program is an example of a performance __________. ANSWER: target measure metric 39. The last phase in the NIST performance measures implementation process is to apply ______________ actions which closes the gap found in Phase 2. ANSWER: corrective 40. When choosing from among recommended practices, an organization should consider a number of questions. List four. ANSWER: Does your organization resemble the target organization of the recommended practice? Are you in a similar industry as the target of the recommended practice? Do you face similar challenges as the target of the recommended practice? Is your organizational structure similar to the target of the recommended practice? Can your organization expend resources at the level required by the recommended practice? Is your threat environment similar to the one assumed by the recommended practice?
  • 6. Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 6 41. List the four factors critical to the success of an InfoSec performance program, according to NIST SP 800-55, Rev. 1. ANSWER: Strong upper level management support PracticalInfoSec policies and procedures Quantifiable performance measurements Results oriented measurement analysis 42. Before beginning the process of designing, collecting, and using measures, the CISO should be prepared to answer the following questions posed by Kovacich. List four of these questions. ANSWER: Why should these statistics be collected? What specific statistics will be collected? How will these statistics be collected? When will these statistics be collected? Who will collect these statistics? Where (at what point in the function’s process) will these statistics be collected? 43. The process of implementing a performance measures program recommended by NIST involves six phases. List and describe them. ANSWER: Phase 1: Prepare for data collection; identify, define, develop, and select information security measures. Phase 2: Collect data and analyze results; collect, aggregate, and consolidate metric data collection and compare measurements with targets (gap analysis). Phase 3: Identify corrective actions; develop a plan to serve as the roadmap for closing the gap identified in phase 2. This includes determining the range of corrective actions, prioritizing corrective actions based on overall risk mitigation goals, and selecting the most appropriate corrective actions. Phases 4: Develop the business case. Phase 5: Obtain resources; address the budgeting cycle for acquiring resources needed to implement remediation actions identified in phase 3. Phase 6: Apply corrective actions; close the gap by implementing the recommended corrective actions in the security program or in the security controls. 44. What are the two major activities into which the InfoSec measurement development process recommended by NIST is divided? ANSWER: 1. Identification and definition of the current InfoSec program 2. Development and selection of specific measurements to gauge the implementation, effectiveness, efficiency, and impact of the security controls 45. On what do measurements collected from production statistics greatly depend? Explain your answer. ANSWER: Measurements collected from production statistics depend greatly on the number of systems and the number of users of those systems. As the number of systems changes and/or the number of users of those systems changes, the effort to maintain the same level of service will vary. 46. Why it measurement prioritization and selection important? How can it be achieved? ANSWER: Because organizations seem to better manage what they measure, it is important to ensure that individual metrics are prioritized in the same manner as the processes that they measure. This can be achieved with a simple low-, medium-, or high-priority ranking system or a weighted scale approach, which would involve assigning values to each measurement based on its importance in the context of the overall InfoSec program and in the overall risk-mitigation goals and criticality of the systems. 47. Why must you do more than simply list the InfoSec measurements collected when reporting them? Explain. ANSWER: In most cases, simply listing the measurements collected does not adequately convey their meaning. For example, a line chart showing the number of malicious code attacks occurring per day may communicate a
  • 7. Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 7 basic fact, but unless the reporting mechanism can provide the context —for example, the number of new malicious code variants on the Internet in that time period—the measurement will not serve its intended purpose. In addition, you must make decisions about how to present correlated metrics - whether to use pie, line, bar, or scatter charts, and which colors denote which kinds of results. 48. Compare and contrast accreditation and certification. ANSWER: In security management, accreditation is the authorization of an IT system to process, store, or transmit information. Accreditation is issued by a management official and serves as a means of assuring that systems are of adequate quality. It also challenges managers and technical staff to find the best methods to assure security, given technical constraints, operational constraints, and mission requirements. Certification is a comprehensive assessment of both technical and nontechnical protection strategies for a particular system, as specified by a particular set of requirements. Thus, while systems may be certified as meeting a specific set of criteria—like the PCI DSS—they must be accredited (or approved by an appropriate authority) before being allowed to process a specific set of information (such as classified documents) at an acceptable level of risk. 49. Describe the three tier approach of the RMF as defined by NIST SP 800-37. ANSWER: NIST follows a three-tiered approach to risk management. Most organizations work from the top down, focusing first on aspects affecting the entire organization, such as governance (tier 1). Then, after the more strategic issues are addressed, they move toward more tactical issues around business processes (tier 2). The most detailed aspects are addressed in tier 3, dealing with information systems. a. accreditation b. baseline c. benchmarking d. certification e. due diligence f. best security practices g. recommended business practices h. standard of due care i. performance measurements j. NIST SP 800-37 50. The actions that demonstrate that an organization has made a valid effort to protect others a requirement and that the implemented standards continue to provide the required level of protection. ANSWER: e 51. The authorization of an IT system to process, store, or transmit information. ANSWER: a 52. A legal standard that requires an organization and its employees to act as a reasonable and prudent individual or organization would under similar circumstances. ANSWER: h 53. Those security efforts that are considered among the best in the industry. ANSWER: f
  • 8. Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 8 54. A comprehensive assessment of a system’s technical and nontechnical protection strategies, as specified by a particular set of requirements. ANSWER: d 55. The data or the trends in data that may indicate the effectiveness of security countermeasures or controls—technical and managerial—implemented in the organization. ANSWER: i 56. A common approach to a Risk Management Framework (RMF) for InfoSec practice. ANSWER: j 57. An attempt to improve information security practices by comparing an organization’s efforts against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate. ANSWER: c 58. Those procedures that provide a superior level of security for an organization’s information. ANSWER: g 59. An assessment of the performance of some action or process against which future performance is assessed. ANSWER: b