Chapter 6 Security

For all the technical solutions you can devise to secure your systems, the __________remains your greatest challenge
Human element
What is meant by standard?
A mandated requirement for a hardware or software solution that is used to deal with a security risk throughout the orgnization
(T/F) The term standard describes initiating changes to avoid expected problems.
false (that is Proactive change management)
Because personnel are so important to solid security, one of the best security controls you can develop is a strong security ___________ and awareness program.
Training
(T/F) The term remediation refers to fixing something before it is broken, defective, or vulnerable.
True
(T/F) System owners are in control of data classification.
False
Which of the following is the definition of guideline?
A recommendation to purchase or how to use a product
The term guideline refers to a group that oversees all proposed changes to systems and networks.
false
Your organization’s __________ sets the tone for how you approach related activities.
Security
(T/F) The term functional policy describes a statement of an organization’s management direction for security in such specific functional areas as e-mail, remote access, and Internet surfing.
True
What term is used to describe a set of step-by-step actions to be performed to accomplish a security requirement, process, or objective?
procedure
(T/F) Accreditation is management’s formal acceptance of risk and their permission to implement.
true
(T/F) The process of managing the baseline settings of a system device is the definition of configuration control.
true
When security seems to get in the way of an employee’s productivity, they’ll often bypass security measures to complete their work more quickly.
true
(T/F) The term standard describes initiating changes to avoid expected problems.
false
(T/F) Sprint means one of the small project iterations used in the “agile” method of developing software, in contrast with the usual long project schedules of other ways of developing software
true
Which of the following is the definition of system owner?
The person responsible for the daily operations of the system and ensuring the system continues to operate in compliance with conditions set out by the AO.
(T/F) An organization must comply with rules on two levels: regulatory compliance and organizational compliance.
true
(T/F) A compliance liaison works with each department to ensure that it understands, implements, and monitors compliance in accordance with the organization’s policies.
true
What is meant by certification?
The technical evaluation of a system to provide assurance that you have implemented the system correctly.
The name given to a group that is responsible for protecting sensitive data in the event of a natural disaster or equipment failure, among other potential emergencies, is ________.
emergency operations group
Accreditation is management’s formal acceptance of risk and their permission to implement.
False
_________ ensures that any changes to a production system are tested, documented, and approved.
change control
________ states that users must never leave sensitive information in plain view on an unattended desk or workstation
clear desk policy
Accredited
Refers to an educational institution that has successfully undergone evaluation by an external body to determine whether the institution meets applicable standards.
Agile Development
A method of developing software that is based on small project iterations, or sprints, instead of long project schedules.
Authorizing official (AO)
A senior manager who reviews a certification report and makes the decision to approve the system for implementation.
Certification
The technical evaluation of a system to provide assurance that you have implemented the system correctly. Also, an official statement that attests that a person has satisfied specific requirements. Requirements often include possessing a certain level of experience, completing a course of study, and passing an examination.
Change Control
The process of managing changes to computer/device configuration or application software.
Change Control Committee
A group that oversees all proposed changes to systems and networks.
Clean desk/ clear Screen Policy
A policy stating that users must never leave sensitive information in plain view on an unattended desk or workstation.
Compliance liaison
A person whose responsibility it is to ensure that employees are aware of and comply with an organization’s security policies.
Configuration control
The process of managing the baseline settings of a system device.
Emergency operations group
A group that is responsible for protecting sensitive data in the event of a natural disaster or equipment failure, among other potential emergencies.
Functional policy
A statement of an organization’s management direction for security in such specific functional areas as e-mail, remote access, and Internet surfing.
Proactive change management
Initiating changes to avoid expected problems.
Procedure
A set of step-by-step actions to be performed to accomplish a security requirement, process, or objective.
Reactive change management
Enacting changes in response to reported problems.
Security administration
The basic element of ISAKMP key management. SA contains all the information needed to do a variety of network security services.
Security event log
Recorded information from system events that describes security-related activity.
Sprint
One of the small project iterations used in the “agile” method of developing software, in contrast with the usual long project schedules of other ways of developing software.
Standard
A mandated requirement for a hardware or software solution that is used to deal with a security risk throughout the organization.
System owner
The person responsible for the daily operation of a system and for ensuring that the system continues to operate in compliance with the conditions set out by the AO.
Waterfall model
A software development model that defines how development activities progress from one distinct phase to the next.