Is411 Study Guide

Only available on StudyMode
  • Download(s) : 67
  • Published : November 26, 2012
Open Document
Text Preview
Study Guide IS 411
Security Policies and Implementation Issues

A perfect policy will not prevent all threats. Key to determining if a business will implement any policy is cost. Policies support the risk assessment to reduce the cost by providing controls and procedures to manage the risk. A good policy includes support for incident handling. Pg 15

Policy may add complexity to a job but that is not important. Unmanageable complexity refers to how complex and realistic the project is. The ability of the organization to support the security policies will be an important topic. Pg 105

Who should review changes to a business process?
Policy change control board, minimally you should include people from information security, compliance, audit, HR, leadership from other business units, and Project Managers (PMs). Pg 172 -------------------------------------------------

Policy – a document that states how the organization is to perform and conduct business functions and transactions with a desired outcome. Policy is based on a business requirement (such as legal or organizational) -------------------------------------------------

-------------------------------------------------
Standard – an established and proven norm or method, which can be a procedural standard or a technical standard implemented organization-wide -------------------------------------------------

-------------------------------------------------
Procedure – a written statement describing the steps required to implement a process. Procedures are technical steps taken to achieve policy goals (how-to document) -------------------------------------------------

-------------------------------------------------
Guideline – a parameter within which a policy, standard, or procedure is suggested but optionalpg 11-13

Resiliency is a term used in IT to indicate how quickly the IT infrastructure can recover. Pg 279. The Recovery Time Objective (RTO) is the measurement of how quickly individual business processes can be recovered. Recovery Point Objectives (RPOs) is the maximum acceptable level of data loss from the point of the disaster. The RTO and RPO may not be the same value. Pg 287

Policies are the key to repeatable behavior. To achieve repeatable behavior you just measure both consistency and quality. Oversight phases to operational consistency: * Monitor
* Measure
* Review
* Track
* Improve pg 40
Find ways to mitigate risk through reward. Reward refers to how management reinforces the value of following policies. An organization should put in place both disciplinary actions for not following policies and recognition for adhering to policies. This could be as simple as noting the level of compliance to policies in the employee’s annual review. Pg 78

Domain | Key policies and controls|
User | Acceptable Use Policy (AUP)E-mail policyPrivacy policy – covers physical securitySystem access policy – IDs & passwordsAuthorization – Role Base Access Control (RBAC)Authentication – most important| Workstation| Microsoft system center configuration manager: * Inventory – tracks LAN connections * Discovery – detects software and info installed for compliance * Patch – current patches installed * Help desk – remote access to diagnose, reconfigure, reset IDs * Log – extracts logs to central repository * Security – ensures users have limited rights, alerts added administer accounts| LAN| Hub – connects multiple devicesSwitch – can filter trafficRouter – connects LANs or LAN-WANFirewall – filters traffic in and out of LAN, commonly used to filter traffic from public internet WAN to private LANFlat network – has little or no control to limit network trafficSegmented – limits what and how computers are able to talk to each other by using switches, routers, firewalls, etc.| LAN-WAN| Generally, routers and firewalls are used to connect LAN-WAN. Demilitarized...
tracking img