'Is411 Study Guide\r'

'Study Guide IS 411 guarantor Policies and carrying out Issues A perfect indemnity leave alone not foil wholly threats. advert to determining if a moving in every last(predicate)ow implement whatsoever policy is make up. Policies tide over the fortune assessment to reduce the cost by providing maintains and parts to manage the encounter. A pricy policy includes sustainment for incident handling. Pg 15 constitution may add complexity to a job wholly if that is not substantial. Unmanage suitable complexity refers to how complex and living the project is. The ability of the composition to support the shelter policies leave be an classical topic.Pg 105 Who should review changes to a backing process? Policy change promise advance, minim wholey you should include people from culture protective covering, meekness, audit, HR, leadership from other(a) business units, and take c ar Managers (PMs). Pg 172 ——————— 212;————————- Policy †a document that states how the agreement is to perform and conduct business functions and transactions with a desired outcome. Policy is ground on a business urgency ( much(prenominal) as ratified or shapingal) ————————————————- ———————————————— banner †an completed and proven norm or method, which contribute be a adjectival standard or a technological standard implemented composition-wide ————————————————- ————————————————- Procedure †a written statement describing the steps postulate to implement a process. Procedures argon technical foul steps taken to achieve policy goals (how-to document) ————————————————- ————————————————-Guideline †a parameter within which a policy, standard, or procedure is suggested but optionalpg 11-13 resiliency is a term utilise in IT to indicate how quickly the IT infra building ignore date from. Pg 279. The recuperation Time Objective (RTO) is the measurement of how quickly individual business processes behind be get. Recovery Point Objectives (RPOs) is the maximal acceptable aim of selective reading expiry from the point of the accident. The RTO and RPO may not be the identical lever. Pg 287 Policies are the chance upon to quotable behavior.To achieve repeatable behavior you just now measure both consistency and quality. supervision phases to o perational consistency: * Monitor * prevention * Review * Track * Improve pg 40 Find surenesss to relieve risk through reward. Reward refers to how heed reinforces the value of undermentioned policies. An organization should put in ha cuntation both disciplinary actions for not following policies and recognition for adhering to policies. This could be as simple as noting the level of compliance to policies in the employee’s annual review. Pg 78 Domain | Key policies and pull stringss|User | bankable Use Policy (AUP)E-mail policy screen policy †covers material gageSystem rag policy †IDs & passwordsAuthorization †Role john Access Control (RBAC)Authentication †most classic| Workstation| Microsoft system center configuration managing director: * Inventory †tracks local area internet connections * Discovery †detects parcel system and info installed for compliance * Patch †give rate patches installed * Help desk †remo te access to diagnose, reconfigure, fix IDs * Log †extracts logs to central repository * credentials measures measure †ensures users have gear uped rights, alerts added administer accounts| LAN| Hub †connects multiple devicesSwitch †base filter trafficRouter †connects LANs or LAN-WANFirewall †filters traffic in and out of LAN, normally used to filter traffic from populace internet WAN to private LANFlat net attain †has fine or no break to limit vane trafficSegmented †limits what and how computing devices are able to talk to all(prenominal) other by using switches, routers, firewalls, etc. | LAN-WAN| Generally, routers and firewalls are used to connect LAN-WAN. Demilitarized Zone (DMZ) provide a earth-facing access to the organization, much(prenominal) as in the public eye(predicate) web localises. DMZ sits between two layers of firewalls to limit traffic between LAN-WAN| WAN| Un hard public Internet. Virtual Private intercommuni cate (VPN) secure and private encrypted tunnel. Firewalls have capability to ca-ca and maintain a VPN tunnel.Lower cost, save condemnation for piddling to medium companies with VPN instead of under(a)take line| Remote Access| raise user domainRemote authentication †two cypher * Something you know (id/password) * Something you have (secure token) * Something you are (biometric)VPN client communicates with VPN hardware for tunneling, client-to-site VPN:Maintains authentication, confidentiality, integrity and nonrepudiation. | System/ finishing| Application software is the heart of all business applications. Application transmits the transaction to server. info Loss Protection (DLP) or schooling Leakage Protection (DLP) refers to a course that reduces the likelihood of accidental or venomed loss of info. DLP involves inventory, perimeter ( protected at endpoints) and encoding of mobile devices. Pg 67|Motivation †congratulate (work is of import), self-interest (repeat behavior rewarded, most important pg 326), and success (winning, ethical, soft skills). Pg 91 executive management support is hypercritical in overcoming hindrances. A lack of support makes implementing protection measure policies impossible. Listen to executive needs and source in policy. Pg 341 auspices measures policies let your organization get up rules to reduce risk to entropy assets. Pg 22. Three most frequent hostage underwrites are: * Physical †prevent access to device * Administrative †procedural operate such as trade protection sensation training * Technical †software such as antivirus, firewalls, and hardware pg 27 info System Security (ISS) is the act of protecting breeding and the systems that chime in and process it. cultivation Assurance (IA) focuses on protecting information during process and use. Security tenets known as the five pillars of the IA toughie: * unavowedity * Integrity * Availability * Authentication * Nonrep udiation Policy must be clearly written. ill-defined aim refers to the clarity of value a project brings. In the case of security policies, it’s important to demonstrate how these policies will reduce risk. It’s equally important to demonstrate how the policies were derived in a way that keep the business cost and stir low. Pg 104 ———————————————— Head of information management is the individual point of contact responsible for entropy quality within the enterprise. ————————————————- ————————————————- entropy stewards are individuals responsible for data quality with a business unit. —————————————— ——- ————————————————- data administrators execute policies and procedures such as backup, versioning, up/down loading, and database administration. ————————————————- ————————————————-Data security administrators knuckle under access rights and assess threats in IA programs. Pg 188 ————————————————- ————————————————- Information security officer identifies, develops and implements security policies. —————————————— 212;—- ————————————————- Data owners approves access rights to information. ————————————————- ————————————————- Data carriage responsible for procedures how data should be handled and classified. ————————————————- ————————————————-Data shop steward individual responsible for day-to-day maintenance, grant access based on data owner, backups, and recover, maintain data center and applications. ————————————————- ————————————————- Data user end user of an application. ————————————————- ————————————————- hearer are inter or orthogonal individual who assess the role and persuasiveness of security policies. Pg 115 Separation of profession principle †responsibilities and privileges should be divided to prevent a person or a small group of collaborating people from unsuitably controlling multiple describe aspects of a process and causing harm or loss. Pg 156Internal control principle †information security forms the core of an organization’s information inbred control systems. Regulations mandate that internal control systems be in place and direct correctly. Organizations rely on engine ering science to maintain business records. It’s inborn that such applied science include internal control mechanisms. These maintain the integrity of the information and represent a true express of the organization’s activities. Pg 155 Lines of exculpation in the service sector: 1. transaction Unit (BU) deals with controlling risk daily, mitigate risk when possible. Develops long and unequal-term strategies, at present accountable. 2. green light Risk counselling (ERM) program, group owns the risk process.Provides guidance to BU, aligns policies with company goals, lapse of risk committees and risk initiatives. 3. Independent attender assures board and executive management the risk function is designed and working well. Pg 192 health Insurance Portability and Accountability Act (HIPAA) protects a person’s privacy. HIPAA defines someone’s health record as protected health information (PHI). HIPAA establishes how PHI send word be lift uped, processed and disclosed and provides penalties for violations. Health feel for clearinghouses process and facilitate billing. Pg 50 executive director management is ultimately responsible for ensuring that data is protected.Information systems security organization enforces security policies at a program level. The team is accountable for identifying violations of policies. The front-line manager/supervisor enforces security policies at an employee level. Employees are responsible for understanding their roles and the security policies. They are accountable for following those policies. Employees git still be held liable for violations of the jurisprudence. Employees can be prosecuted for illegal acts. Sampling of let out roles to enforce security policies: * General counsel- enforces legal binding agreements * Executive management- implements enterprise risk management * Human resources- enforces disciplinary actions Information systems security organization- enforces polices at program level * Front-line manager/supervisor- enforces policies at employee level pg 366 A Privileged-level Access agreement (PAA) is designed to come up the awareness and accountability of those users who have administrative rights. Security Awareness Policy (SAP) laws can outline the oftenness and target audience. grateful Use Policy (AUP) defines the intended uses of computer and networks. A good AUP should accompany security awareness training. Pg 220 Auditors are feared??? Contractors comply with the same security policies as any other employee (such as an AUP). thither may be additional policy requirements on a contractor such as spare non-disclosure agreement and deeper background checks. Pg 215Data discriminate| Class Description| Recovery Period| Examples| particular| Data must be recovered immediately| 30 minutes| Website, customer records| Urgent| Data can be recovered later| 48 hrs| netmail backups| Non-vital| Not vital for daily operations| 30 days| Historica l records, memoir pg 263| U. S. military classification †nation security information document EO 12356. * Top whodunit †grave damage to national security * Secret †serious damage to NS * Confidential †cause damage to NS * Sensitive but classified †confidential data under freedom of information act * nonsensitive †available to the public A trading Continuity throw (BCP) policy creates a plan to stick around business after a disaster. Elements include key assumptions, accountabilities, frequency of testing and part includes BIA.Business Impact synopsis (BIA) purpose is to check off the impact to an organization in the event that key processes and technology are not available. Assets include critical resources, systems, facilities, personnel, and records. Pg 278 Desired results of the BIA include: * A arguing of critical processes and dependencies * A work flow of processes that include human req to recover key assets * epitome of legal and regu latory requirements * A list of critical vendors and support agreements * An hazard of the maximum allowable downtime pg 286 chance Recovery curriculum (DRP) is the policies and documentation needed for an organization to recover its IT assets after a disaster (part of BCP). Pg 288Governance †requires a strong governance structure in place. This includes formal coverage to the board of directors. Most boards receive formal GLBA reporting through the audit committee. The head of information security usually writes this report each quarter. Pg 51 An Incident Response team up (IRT) is specialized group of people whose purpose is to respond to major incidents. The IRT is typically a cross-functional (different skills) team. Pg 297. Common IRT members include: * Information technology SMEs * Information security representative * HR * Legal * PR * Business tenacity representative * Data owner * Management * Emergency services (normally outside agency i. e. olice) pg 302 indors e requires its merchants to report security incidents involving cardholder data. Visa classifies incidents into the following categories: * Malicious code blows * vindication of service (DOS) * Unauthorized access/ thieving * Network reconnaissance probe pg 299 claim an incident, develop a resolution/procedure to control the incident. Before a response can be formulated, a reciprocation needs to be made. This involves whether to immediately play along the attacker or protect the organization. Having a protocol in advance with management can establish priorities and expedite a decision. It is important to have a set of responses prepared in advance.Allowing the attacker to continue provides evidence on the attack. The most common response is to stop the attack as quickly as possible. Pg 309 How do you collect data? A trained specialist collects the information. A chain of custody is established and documented. Digital evidence, take a bit image of machines and calculate a cho p value. The hash value is essentially a fingerprint of the image. IRT coordinator maintains evidence log and only copies are logged out for review. Pg 311 Why do policies fail? Without cohesive support from all levels of the organization, acceptance and enforcement will fail. Pg 19 Which law allows companies to monitor employees?The Electronic Communication Privacy Act (ECPA) gives employers the right to monitor employees in the ordinary course of business. Pg 356 Policy enforcement can be accomplished through mechanisation or manual(a) controls. Automated controls are cost efficient for large volumes of work that need to be performed consistently. A short list of several common modify controls: * Authentication methods * Authorization methods * Data encoding * Logging events * Data segmentation * Network segmentation pg 361 Microsoft Baseline Security analyser (MBSA) is a free download that can query systems for common vulnerabilities. It starts by downloading an up to date XML file. This file includes known vulnerabilities and exculpate patches. Pg 378Business Continuity purpose (BCP) sustain business during disaster Continuity of Operations Plan (COOP) support strategic functions during disaster Disaster Recovery Plan (DRP) plan to recover facility at alternate site during disaster Business Recovery Plan (BRP) recover operation immediately following disaster Occupant Emergency Plan (OEP) plan to minimize loss of livelihood or injury and protect berth from physical threat pg 292 Extra notes: There are two fonts of SAS 70 audits: * typecast 1 †is basically a design review of controls. * Type II †includes type 1 and the controls are tested to regulate if they work. Pg 61 Governance, Risk management, and Compliance (GRC) and Enterprise Risk Management (ERM) both to control risk. ERM takes a broad look at risk, while GRC is technology focused.GRC top trio best frameworks are ISO 27000 series, COBIT, COSO. Pg 197 Incident hard knocks classi fication: * badness 4 †small number of system probes or scans detected. An detached instance of a virus. Event handled by automated controls. No unlicenced bodily process detected. * Severity 3 †significant probes or scans. Widespread virus military action. Event requires manual intervention. No unauthorized activity detected. * Severity 2 †DOS detected with rent impact. automated controls failed to prevent event. No unauthorized activity detected. * Severity 1 †thriving penetration or DOS attack with significant disruption. Or unauthorized activity detected.Pg 308 To measure the effectiveness include IRT shoot goals and analytics. Metrics are: * do of incidents * Number of repeat incidents (signifies lack of training) * Time to contain per incident (every incident is diff, least important) * monetary impact to the organization (most important to management) burnish terms Bolt-on refers to adding information security as a distinct layer of control afte r the fact. Business Impact Analysis (BIA) a formal analysis to determine the impact in the event key processes and technology are not available. military commission of Sponsoring Organizations (COSO) focuses on financial and risk management.Control Objectives for Information and related Technology (COBIT) framework that brings unneurotic business and control requirements with technical issues. scout control is a manual control that identifies a behavior after it has happened. federal Desktop Core Configuration (FDCC) a standard image mandated in any federal agency. Image locks down the operating system with specific security settings. Firecall-ID a process granting elevated rights temporarily to work out a problem. Flat network has little or no controls to limit network traffic. Information Technology and Infrastructure program library a framework that contains comprehensive list of concepts, practices and processes for managing IT services. IRT coordinator documents all acti vities during an incident, official scribe.IRT manager makes all the final calls on how to respond, interface with management. Non-disclosure Agreement (NDA) also known as a confidentiality agreement. Octave is an acronym for Operationally Critical Threat, Asset, and exposure Evaluation. ISS framework consisting of tools, techniques, and methods. Pretexting is when a hacker outlines a story in which the employee is asked to reveal information that weakens the security. Security Content Automation communications protocol (SCAP) NIST spec for how security software products measure, pronounce and report compliance. Supervisory Control and Data Acquisition (SCADA) system hardware and software that collects critical data to keep a facility operating.\r\n'