Cards (39)

  • Automated Policy Management - This type of software was developed in response to the needs of information security practitioners.
  • Automation - It can streamline the repetitive steps of writing policy, tracking the workflow of policy approvals, publishing policy once it is written and approved and tracking when employees have read the policy.
  • Information Security Blueprint - It is the basis for all security program elements; a scalable, upgradeable, comprehensive plan to meet the organization's current and future information security needs.
  • Policies - This is the managerial directives that specify acceptable and unacceptable employee behavior in the workplace.
  • Policies - These are the living documents that must be managed.
  • Policies - These documents must be properly distributed, read, understood, agreed to, uniformly applied, and managed.
  • Four Components of Security Policies: Responsible Manager, Schedule of Reviews, Review Procedures and Practices, Policy and Revision Date
  • Policy manager is often called the Policy Administrator
  • Policy Administrator - It is an employee who is responsible for the creation, revision, distribution, and storage of a policy in an organization.
  • Schedule of Reviews - Policies can only retain their effectiveness in a changing environment if they are periodically reviewed for currency and then modified accordingly.
  • Schedule of Reviews - Policies are not kept can be come liabilities as outdated rules are enforced and new requirements are ignored.
  • Review Procedures and Practices - The policy manager should implement mechanism by which people can make recommendations for revisions, whether via e-mail, office mail, or an anonymous drop box.
  • Review Procedures and Practices - Once the policy has come up for review, all comments should be examined and management approved improvements should be implemented.
  • Policy and Revision Date - It is the simple action of dating the policy is often omitted.
  • Policy and Revision Date - When policies are drafted and published without dates, confusion can arise.
  • Sunset Clause - It indicated their expiration date, particularly if the policies govern information use in short term business association.
  • Sunset Clause - It is a component of policy or law that defines an expected end date for its applicability.
  • Information Security Framework - It is an outline or structure of the organization's overall information security strategy that is used as a road map for planned changes to its information security environment.
  • ISO 27000 - This is the standard information security policy.
  • Information Security Model - It is an established information security framework, often popular among other organizations add backed by a recognized security agency, with exemplar details an organization may want to emulate in creating its own framework blueprint.
  • Sphere of Security - It measures how well you're protected against intruders.
  • Sphere of Use - It refers to an area when a person can use something safely or freely.
  • Sphere of Protection - It designates an area in which a person is legally permitted to protect another person from any dangers that might exist there.
  • Sphere of Safety - This sphere requires attentiveness for overhead hazards, underground dangers, and surrounding risks.
  • Three Levels of Control: Managerial Control, Operational Control, Technical Control.
  • Managerial Controls - It focus on administrative planning, organizing, leading, and controlling, and that are designed by strategic planners and implemented by the organization.
  • Managerial Controls Safeguards are: Governance and Risk Management
  • Operational Control - It focus on lower-level planning that deals with the functionality of the organization's security.
  • Operational Control Safeguards are: disaster recovery and incident response planning.
  • Technical Control - It focus on the application of modern technologies, systems, and processes to protect information assets.
  • Technical Control safeguards are: firewalls, virtual private network, and IDPSs
  • Defense in Depth - A strategy for protection of information assets that uses multiple layers and different types of control that will provide optimal protection.
  • Redundancy - Multiple types of technology that prevent the failure of one system from compromising the security of information.
  • Security Perimeter - The boundary between an organization's security efforts and the outside world or untrusted network areas.
  • Security Domain - An area of trust within which information assets share the same level of protection.
  • Security Education, Training, and Awareness - A managerial program designed to improve the security of information assets by providing targeted knowledge, skills, and guidance for organizations.
  • Security Training - It provides employees with detailed information and hands-on instruction to prepare them to perform their duties securely.
  • Security Awareness - A program is one of the last frequently implemented but most beneficial programs in an organization.
  • Security Awareness - It is designed to keep information security at the forefront of users' minds.