Ch.5 rq (1)
- 1. Davis, Nigel CH.5 Review Questions (1-10) February 25, 2014 1. The security framework provides a strategic direction to design and implement the security infrastructure. It also ensures the accomplishment of objectives. Information security governance is the application of the principles of corporate governance-that is, executive management's responsibility to provide strategic direction, ensure the accomplishment of objectives, oversee that risks are appropriately managed, and validate responsible resource utilization-to the information security function. 2. In order to effectively implement security governance, the Corporate Governance Task Force (CGTF) recommends that organizations follow an established framework, such as the IDEAL framework from the Carnegie Mellon University Software Engineering Institute. 3. Its one of the most widely referenced security models in Information Technology-code of practice for the information security management, which was originally published as British standard BS7799. ISO/IEC 27002 is focused on a broad overview of the various areas of security, providing information on 127controls over ten broad areas; ISO/IEC 27001provides information on how to implement ISO/IEC 27002 and how to set up an information security management system (ISMS). 4. The global information security community had not defined any justification for a code of practice as identified in the ISO/IEC 17799. ISO/IEC 17799 lacked the necessary measurement precision of a technical standard. ISSO/IEC 17799 was not complete as other frameworks. ISO/IEC 17799 was hurriedly prepared given the tremendous impact its adoption could have on industry information security controls. There was no reason to believe that ISO/IEC 17799 was more useful than any other approach. The recommended alternatives is to follow the major process steps. 5. Other approaches are described in the many documents available from the Computer Security Resource Center of the National Institute for the Standards and technology. The documents are publicly available at no charge and have been for some time, they have been broadly reviewed by government and industry professionals , and are among the references cited by the federal government when it decided not to select the ISO IEC 17799 standards. The following are sections examine these documents as they apply to the blueprint for information security . -SP 800-12, -SP 800-14, -SP 800-16, -SP 800-18, -SP 800-26 and -SP 800-30 6. They can benefit by using awareness policies of federal agencies. Most agencies have these policies in place. Federal agencies are also very good at examine and processing evidence. This could be useful to private companies if some sort of theft or equipment loss or data loss were to happened. 7. Some Web resources that can aid an organization in developing best practices as part of a security framework include, http://csrc.nist.gov/groups/SMA/fasp, www.cert.org, www.techforum.com and www.iapsc.org. 8. Managerial controls are security processes that are designed by strategic planners and implemented by security administration of the organization. It sets the direction and scope of the security process and provide detailed instructions for its conduct, as well as addressing the design and implementation of the security planning process and security program management. Operational controls are management and lower-level planning functions that deal with the operational functionality of security in the organization, such as disaster recovery and incident response planning. They address personnel security, physical security, and the protection of production inputs and outputs. Technical controls are the tactical and technical implementations of security in the organization. They address are the components put in place to protect an
- 2. organization's information assets. 9. Policy are rules and should be followed by the community or country. Standards are the recommended status for the community or country. Practice is the actual application of use of an idea , belief, or method opposed to theories about such application use. Enterprise Information Security Policy is a direct support, which is given to the organization's mission, vision and direction. It would be use when providing a direction in the development, implementation and management of the security program. In Issue -specific Security Policy, the scope and applicability of the security policy is examined. It would be used when authorization of user access , privacy protection, fair and responsible use of the technology is addressed. System-specific Security Policies often include standards and procedures to be implemented while maintaining of systems. It is used to address implementation and configuration of technology as well as the behavior of the people. Enterprise would be use to guide the use of the Web, Issue-specific Security Policy would be used for E-mail and System-specific Security Policy would be use for office equipment/personal use. 10. Users are ultimately responsible for managing a technology. The Project Manager is responsible for enforcing policy that affects the use of a technology.