Is411 Study Guide

Study Guide IS 411 warrantor Policies and writ of execution Issues A perfect form _or_ system of government will not prevent entirely in all threats. Key to determining if a melody will use all constitution is cost. Policies support the adventure assessment to reduce the cost by providing runs and procedures to manage the adventure. A good polity takes support for incidental handling. Pg 15 Policy may add complexity to a job provided that is not beta. Unmanageable complexity refers to how complex and rea tiltic the project is. The great power of the organization to support the guarantor policies will be an important topic.Pg cv Who should review changes to a business process? Policy change control board, minimally you should imply concourse from schooling guarantor, compliance, audit, HR, leadership from other business units, and Project Managers (PMs). Pg 172 - Policy a document that states how the organization is to perform and take aim business functions an d transactions with a desired outcome. Policy is base on a business requirement ( much(prenominal) as legal or organizational) - model an established and proven norm or method, which raft be a procedural precedent or a practiced standard apply organization-wide - - Procedure a written statement describing the steps required to implement a process. Procedures be technical steps taken to achieve policy goals (how-to document) - -Guide pipeline a parameter within which a policy, standard, or procedure is suggested exactly optionalpg 11-13 Resiliency is a term apply in IT to indicate how right away the IT infrastructure can recover. Pg 279. The convalescence Time Objective (RTO) is the measurement of how quick individual business processes can be recovered. Recovery Point Objectives (RPOs) is the maximal acceptable take aim of data loss from the point of the catastrophe. The RTO and RPO may not be the same value. Pg 287 Policies be the key to quotable manner.To ach ieve repeatable behavior you just measure some(prenominal) consistency and quality. Oversight phases to available consistency * Monitor * Measure * Review * Track * Improve pg 40 Find ways to mitigate risk by dint of reward. Reward refers to how circumspection reinforces the value of succeeding(a) policies. An organization should put in place both disciplinary actions for not following policies and recognition for adhering to policies. This could be as artless as noting the level of compliance to policies in the employees annual review. Pg 78 Domain Key policies and controlsUser Acceptable Use Policy (AUP)E-mail policyPrivacy policy covers physical security establishment entrance money policy IDs & passwordsAuthorization Role Base Access experience (RBAC)Authentication most important Workstation Micro bats system center configuration manager * account tracks LAN connections * Discovery detects softw ar and info installed for compliance * Patch current patches ins talled * Help desk remote access to diagnose, reconfigure, reset IDs * Log extracts logarithms to central bank deposit * shelter ensures substance abusers have congealed rights, alerts added administer accounts LAN Hub connects multiple devicesSwitch can filter trafficRouter connects LANs or LAN-WANFirewall filters traffic in and out of LAN, customaryly used to filter traffic from public internet WAN to private LANFlat communicate has little or no control to limit network trafficSegmented limits what and how electronic computers are able to talk to to each one other by using switches, routers, firewalls, etcetera LAN-WAN Generally, routers and firewalls are used to connect LAN-WAN. Demilitarized Zone (DMZ) provide a public-facing access to the organization, such as public websites. DMZ sits between two seams of firewalls to limit traffic between LAN-WAN WAN Unsecure public Internet. Virtual Private mesh (VPN) secure and private encrypted tunnel. Firewalls have cap ability to create and check a VPN tunnel.Lower cost, save time for small to medium companies with VPN instead of leased line Remote Access Enhanced user domainRemote authentication two broker * Something you know (id/password) * Something you have (secure token) * Something you are (biometric)VPN client communicates with VPN hardware for tunneling, client-to-site VPNMaintains authentication, confidentiality, integrity and nonrepudiation. System/ application Application software is the heart of all business applications. Application transmits the transaction to server. info Loss Protection (DLP) or entropy making water Protection (DLP) refers to a program that reduces the likelihood of accidental or leering loss of data. DLP involves inventory, perimeter ( protect at endpoints) and encryption of mobile devices. Pg 67 motivation pride (work is important), self-interest (repeat behavior rewarded, most important pg 326), and success (winning, ethical, soft skills). Pg 91 Execu tive management support is critical in overcoming hindrances. A lack of support makes implementing security policies impossible. Listen to executive needs and share in policy. Pg 341 Security policies let your organization set rules to reduce risk to randomness assets. Pg 22. Three most common security controls are * somatogenic prevent access to device * Administrative procedural control such as security awareness training * Technical software such as antivirus, firewalls, and hardware pg 27 study System Security (ISS) is the act of protecting information and the systems that store and process it. study Assurance (IA) focuses on protecting information during process and use. Security tenets known as the five pillars of the IA model * Confidentiality * legality * Availability * Authentication * Nonrepudiation Policy must be clearly written. unreadable economic consumption refers to the clarity of value a project brings. In the campaign of security policies, its important t o demonstrate how these policies will reduce risk. Its equally important to demonstrate how the policies were derived in a way that march on the business cost and impact low. Pg 104 Head of information management is the whizz point of contact responsible for data quality within the enterprise. - - information stewards are individuals responsible for data quality with a business unit. - - Data administrators execute policies and procedures such as backup, versioning, up/down loading, and database administration. - -Data security administrators collapse access rights and assess threats in IA programs. Pg 188 - - Information security officer identifies, evolves and implements security policies. - - Data owners approves access rights to information. - - Data manager responsible for procedures how data should be handled and categorize. - -Data custodian individual responsible for day-to-day maintenance, grant access based on data owner, backups, and recover, maintain data center a nd applications. - - Data user end user of an application. - - Auditor are inter or outside(a) individual who assess the design and effectiveness of security policies. Pg 115 time interval of duty principle responsibilities and privileges should be divided to prevent a psyche or a small group of collaborating people from inappropriately coercive multiple key aspects of a process and causing harm or loss. Pg 156Internal control principle information security forms the core of an organizations information essential control systems. Regulations mandate that internal control systems be in place and operate correctly. Organizations rely on engineering to maintain business records. Its essential that such applied science include internal control mechanisms. These maintain the integrity of the information and represent a true picture of the organizations activities. Pg 155 Lines of defense in the overhaul sector 1. work Unit (BU) deals with controlling risk daily, mitigate risk when possible. Develops long and short-term strategies, directly accountable. 2. green light Risk commission (ERM) program, group owns the risk process.Provides guidance to BU, aligns policies with company goals, oversight of risk committees and risk initiatives. 3. supreme auditor assures board and executive management the risk function is knowing and working well. Pg 192 wellness Insurance Portability and Accountability Act (HIPAA) protects a souls privacy. HIPAA defines someones health record as protected health information (PHI). HIPAA establishes how PHI can be collected, processed and disclosed and provides penalties for violations. Health care clearinghouses process and facilitate billing. Pg 50 Executive management is lastly responsible for ensuring that data is protected.Information systems security organization enforces security policies at a program level. The team is accountable for identifying violations of policies. The front-line manager/supervisor enforces secu rity policies at an employee level. Employees are responsible for understanding their roles and the security policies. They are accountable for following those policies. Employees can still be held liable for violations of the law. Employees can be prosecuted for embezzled acts. Sampling of key roles to enforce security policies * General counsel- enforces legal bond agreements * Executive management- implements enterprise risk management * Human resources- enforces disciplinary actions Information systems security organization- enforces polices at program level * Front-line manager/supervisor- enforces policies at employee level pg 366 A Privileged-level Access Agreement (PAA) is designed to heighten the awareness and function of those users who have administrative rights. Security Awareness Policy (SAP) laws can delimit the frequency and target audience. Acceptable Use Policy (AUP) defines the intended uses of computer and networks. A good AUP should accompany security awarene ss training. Pg 220 Auditors are feared Contractors combine with the same security policies as any other employee (such as an AUP). on that point may be additional policy requirements on a contractile organ such as special non-disclosure agreement and deeper background checks. Pg 215Data degree Class Description Recovery Period Examples Critical Data must be recovered outright 30 minutes Website, customer records Urgent Data can be recovered later 48 hrs e-mail backups Non-vital not vital for daily operations 30 days Historical records, annals pg 263 U. S. military classification nation security information document EO 12356. * fall out secret grave damage to national security * Secret knockout damage to NS * Confidential cause damage to NS * Sensitive but classified confidential data under freedom of information act * declassified available to the public A Business doggedness curriculum (BCP) policy creates a be after to lodge business after a disaster. Elements i nclude key assumptions, accountabilities, frequency of testing and part includes BIA.Business Impact Analysis (BIA) purpose is to determine the impact to an organization in the event that key processes and technology are not available. Assets include critical resources, systems, facilities, personnel, and records. Pg 278 Desired results of the BIA include * A disposition of critical processes and dependencies * A work flow of processes that include sympathetic req to recover key assets * Analysis of legal and regulatory requirements * A list of critical vendors and support agreements * An estimate of the maximum allowable downtime pg 286 Disaster Recovery Plan (DRP) is the policies and documentation needed for an organization to recover its IT assets after a disaster (part of BCP). Pg 288Governance requires a strong governance structure in place. This includes established reporting to the board of directors. Most boards receive stately GLBA reporting by dint of the audit commi ttee. The head of information security usually writes this report each quarter. Pg 51 An Incident Response Team (IRT) is specialized group of people whose purpose is to respond to major incidents. The IRT is typically a cross-functional (different skills) team. Pg 297. Common IRT members include * Information technology SMEs * Information security representative * HR * reasoned * PR * Business continuity representative * Data owner * Management * Emergency services (normally outside agency i. e. olice) pg 302 Visa requires its merchants to report security incidents involving cardholder data. Visa classifies incidents into the following categories * Malicious code feelers * Denial of service (DOS) * unofficial access/theft * Network reconnaissance probe pg 299 Declare an incident, develop a solution/procedure to control the incident. Before a response can be formulated, a discussion needs to be made. This involves whether to immediately pursue the attacker or protect the organiza tion. Having a protocol in advance with management can establish priorities and expedite a decision. It is important to have a set of responses prepared in advance.Allowing the attacker to continue provides evidence on the attack. The most common response is to stop the attack as quickly as possible. Pg 309 How do you collect data? A trained specialist collects the information. A chain of custody is established and documented. digital evidence, take a bit image of machines and calculate a hash value. The hash value is essentially a fingerprint of the image. IRT coordinator maintains evidence log and only copies are logged out for review. Pg 311 Why do policies fail? Without cohesive support from all levels of the organization, acceptance and enforcement will fail. Pg 19 Which law allows companies to manage employees?The Electronic Communication Privacy Act (ECPA) gives employers the right to monitor employees in the ordinary course of business. Pg 356 Policy enforcement can be ac complished through automation or manual controls. Automated controls are cost cost-effective for large volumes of work that need to be performed consistently. A short list of several common automatise controls * Authentication methods * Authorization methods * Data encryption * Logging events * Data segmentation * Network segmentation pg 361 Microsoft Baseline Security Analyzer (MBSA) is a free download that can query systems for common vulnerabilities. It starts by downloading an up to date XML file. This file includes known vulnerabilities and release patches. Pg 378Business Continuity Plan (BCP) sustain business during disaster Continuity of Operations Plan (COOP) support strategic functions during disaster Disaster Recovery Plan (DRP) plan to recover facility at alternate site during disaster Business Recovery Plan (BRP) recover operation immediately following disaster Occupant Emergency Plan (OEP) plan to minimize loss of animateness or injury and protect property from physi cal threat pg 292 duplication notes There are two types of SAS 70 audits * Type 1 is fundamentally a design review of controls. * Type II includes type 1 and the controls are tested to see if they work. Pg 61 Governance, Risk management, and Compliance (GRC) and Enterprise Risk Management (ERM) both to control risk. ERM takes a broad tint at risk, while GRC is technology focused.GRC top three best frameworks are ISO 27000 series, COBIT, COSO. Pg 197 Incident severity classification * Severity 4 small turn of events of system probes or scans detected. An isolated instance of a virus. Event handled by automated controls. No unofficial activity detected. * Severity 3 significant probes or scans. Widespread virus activity. Event requires manual intervention. No illegitimate activity detected. * Severity 2 DOS detected with limited impact. automated controls failed to prevent event. No unauthorized activity detected. * Severity 1 in(predicate) penetration or DOS attack with significant disruption. Or unauthorized activity detected.Pg 308 To measure the effectiveness include IRT charter goals and analytics. Metrics are * Number of incidents * Number of repeat incidents (signifies lack of training) * Time to contain per incident (every incident is diff, least important) * Financial impact to the organization (most important to management) rubric terms Bolt-on refers to adding information security as a distinct layer of control after the fact. Business Impact Analysis (BIA) a formal analysis to determine the impact in the event key processes and technology are not available. Committee of Sponsoring Organizations (COSO) focuses on financial and risk management.Control Objectives for Information and related Technology (COBIT) framework that brings together business and control requirements with technical issues. Detective control is a manual control that identifies a behavior after it has happened. Federal Desktop Core Configuration (FDCC) a standard image mandated in any federal agency. Image locks down the operating system with specific security settings. Firecall-ID a process granting elevated rights temporarily to resolve a problem. Flat network has little or no controls to limit network traffic. Information Technology and Infrastructure Library a framework that contains comprehensive list of concepts, practices and processes for managing IT services. IRT coordinator documents all activities during an incident, official scribe.IRT manager makes all the final calls on how to respond, interface with management. Non-disclosure Agreement (NDA) also known as a confidentiality agreement. Octave is an acronym for Operationally Critical Threat, Asset, and Vulnerability Evaluation. ISS framework consisting of tools, techniques, and methods. Pretexting is when a hacker outlines a story in which the employee is asked to reveal information that weakens the security. Security Content Automation Protocol (SCAP) NIST spec for how security softw are products measure, value and report compliance. Supervisory Control and Data Acquisition (SCADA) system hardware and software that collects critical data to keep a facility operating.