Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
9 Cards in this Set
- Front
- Back
|
1. What is planning? How does an organization determine if planning is necessary?
|
Planning is the preparation, application, and control of a sequence of action steps to achieve specific goals. Each organization must balance the benefits of the chosen planning effort against the cost of that effort.
|
|
|
2. What are the three common levels of planning?
|
• Tactical planning—Tactical planning has a shorter focus than strategic planning, usually one to three years and breaks down each applicable strategic goal into a series of incremental objectives. • Strategic planning—the basis for long-term direction for the organization. • Operational planning—includes clearly identified coordination activities across department boundaries, communications requirements, weekly meetings, summaries, progress reports, and associated tasks. |
|
|
4. What is a values statement? What is a vision statement? What is a mission statement? Why are they important? What do they contain? |
•A values statement is a established formal set of organized principles, standards, and qualities as well as benchmarks for measuring behavior against published values. •The vision statement makes conduct and performance standards clear to employees and the public. •The mission statement expresses what the organization wants to become. The mission statement explains what the organization does and for whom. |
|
|
6. What is InfoSec governance?
|
InfoSec governance includes all the accountabilities and methods done by a board of directors and executive management to provide strategic direction, establishment of objectives, measurement of progress toward those objectives, verification that risk management practices are appropriate, and validation that the organization’s assets are used properly.
|
|
|
8. What are the five basic outcomes that should be achieved through InfoSec governance?
|
Strategic alignment of InfoSec with business strategy to support organizational objectives Risk management by executing appropriate measures to manage and mitigate threats to information resources Resource management by utilizing InfoSec knowledge and infrastructure efficiently and effectively Performance measurement by measuring, monitoring, and reporting InfoSec governance metrics to ensure that organizational objectives are achieved Value delivery by optimizing InfoSec investments in support of organizational objectives |
|
|
9. Describe top-down strategic planning. How does it differ from bottom-up strategic planning? Which is usually more effective in implementing security in a large, diverse organization?
|
Top-down strategic planning involves high-level managers providing resources and giving directions. Directors issue policies, procedures, and processes and dictate the goals and expected outcomes of the project, and also determine who is accountable for each of the required actions. In top-down planning, managers give directions on how projects should be handled, while in bottom-up planning, system administrators give directions on how projects should be handled. Of the two, top-down planning is the more effective security strategy, since it encompasses critical features such as coordination between departments, coordinated plans from top management, provision of sufficient resources, and support from end users. |
|
|
13. What is the difference between a threat and an attack?
|
An attack is a deliberate act that exploits a vulnerability, A threat is the danger that a system might be attacked
|
|
|
14. How can a vulnerability be converted into an attack?
|
By a threat agent if it is not addressed.
|
|
|
20. What are the three categories of InfoSec controls? How is each used to reduce risk for the organization?
|
• Managerial controls cover security processes that are designed by the strategic planners and performed by the security administration of the organization. • Operational controls address personnel security, physical security, the protection of production inputs and outputs, management functions, and disaster recovery planning. • Technical controls address the specifics of technology selection and the acquisition of certain technical components, including logical access controls like identification, authentication, authorization, and accountability. |
