1.

How do the InfoSec management team’s goals and objectives differ

from those of the IT and general management communities?
InfoSec Management vs IT and General Management Goals
The InfoSec management team's goals are primarily focused on protecting
the organization's information assets. This includes ensuring confidentiality,
integrity, and availability of data. On the other hand, IT management is
concerned with the efficient use of technology to meet business objectives,
while general management focuses on overall business strategy, operations,
and profitability.
2. What is included in the InfoSec planning model?
-The InfoSec planning model includes:
-Identification of assets and their value
-Risk assessment
-Development of policies and procedures
-Implementation of security measures
-Regular monitoring and review
3. List and briefly describe the general categories of information
security policy.
-The general categories of information security policy include:
-Enterprise Information Security Policy (EISP)
-Issue Specific Security Policy (ISSP)
-System Specific Security Policy (SysSP)
4. Briefly describe strategic planning.
Strategic planning in InfoSec involves long-term goals and strategies to
protect an organization's information assets. It includes identifying potential
threats, assessing risks, and developing a comprehensive security program.
5. List and briefly describe the levels of planning.
-The levels of planning include:
-Strategic Planning: Long-term goals and strategies
-Tactical Planning: Short-term actions to achieve strategic goals
-Operational Planning: Day-to-day activities to implement tactical plans
6. What is governance in the context of information security
management?
Governance in InfoSec management refers to the framework of rules,
responsibilities, and processes that guide and control the organization's
information security activities.
7. What are the differences between a policy, a standard, and a
practice? Where would each be used?
A policy is a high-level plan that outlines the organization's security
objectives. A standard is a specific requirement for how something should
be done. A practice is a detailed step-by-step guide on how to perform a
task. Policies are used at the organizational level, standards are used to
guide specific actions, and practices are used for operational tasks.
8. What is an EISP, and what purpose does it serve?
An EISP is a high-level policy that outlines the organization's approach to
information security. It serves to guide the development and implementation
of more detailed security policies and procedures.
9. Who is ultimately responsible for managing a technology? Who is
responsible for enforcing policy that affects the use of a technology?
The IT department is typically responsible for managing technology, while
the InfoSec department is responsible for enforcing policies that affect the
use of technology.
10. What is needed for an information security policy to remain
viable?
For an information security policy to remain viable, it needs to be regularly
reviewed and updated to reflect changes in technology, business operations,
and threat landscape.
11. How can a security framework assist in the design and
implementation of a security infrastructure? What is information
security governance? Who in the organization should plan for it?
A security framework provides a structured approach to designing and
implementing a security infrastructure. Information security governance is
the framework of rules, responsibilities, and processes that guide and control
the organization's information security activities. The senior management
should plan for it.
12. Where can a security administrator find information on
established security frameworks?
Security administrators can find information on established security
frameworks from various sources, including the websites of standards
organizations like ISO and NIST, and professional organizations like
ISACA and (ISC)²
13. What is the ISO 27000 series of standards? Which individual
standards make up the series?
The ISO 27000 series of standards is a set of international standards for
information security management. The series includes individual standards
like ISO 27001 (requirements for an information security management
system), ISO 27002 (code of practice for information security controls), and
ISO 27005 (information security risk management), among others.
14. What documents are available from the NIST Computer Security
Resource Center (CSRC), and how can they support the development
of a security framework?
The NIST CSRC provides a wide range of documents, including special
publications, guidelines, recommendations, and reference materials, which
can support the development of a security framework
15. What Web resources can aid an organization in developing best
practices as part of a security framework?
Websites of standards organizations (ISO, NIST), professional organizations
(ISACA, (ISC)²), and industry forums (SANS Institute, OWASP) can
provide valuable resources for developing best practices as part of a security
framework.
16. Briefly describe management, operational, and technical controls,
and explain when each would be applied as part of a security
framework.
Management controls are security processes that are defined and
implemented by management. Operational controls are the day-to-day
procedures and mechanisms that protect information assets. Technical
controls are the hardware and software mechanisms that protect information
systems. These controls are applied as part of a security framework to
provide comprehensive protection.
17. What is defense in depth?
Defense in depth is a security strategy that uses multiple layers of security
controls to protect information assets. The idea is that if one layer fails, the
other layers will still provide protection.
18. Define and briefly explain the SETA program and what it is used
for
A SETA program is designed to increase users' awareness of the importance
of security, educate them about security policies and procedures, and train
them in the proper use of information systems.
19. What is the purpose of the SETA program?
The purpose of the SETA program is to improve the security of information
systems by ensuring that users understand and follow the organization's
security policies and procedures.
20. What is security training?
Security training is a formal process of educating employees about the
proper use of technology and the risks associated with their actions.
21. What is a security awareness program?
A security awareness program is an ongoing effort to keep employees
informed about the importance of information security, the threats they may
face, and the steps they can take to protect the organization's information
assets