Premium Essay

Management of Information Security

In:

Submitted By ijosito
Words 1387
Pages 6
Review Questions for Chapter 7 – Security Management Practices
Read Chapter 7 in the text, Study the Power Point Presentation and answer these Review Questions 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. What is benchmarking? What is the standard of due care? How does it relate to due diligence? What is a recommended security practice? What is a good source for finding such best practices? What is a gold standard in information security practices? Where can you find published criteria for it? When selecting recommended practices, what criteria should you use? When choosing recommended practices, what limitations should you keep in mind? What is baselining? How does it differ from benchmarking? What are the NIST-recommended documents that support the process of baselining? What is a performance measure in the context of information security management? What types of measures are used for information security management measurement programs? According to Dr. Kovacich, what are the critical questions to be kept in mind when developing a measurements program? What factors are critical to the success of an information security performance program? What is a performance target, and how is it used in establishing a measurement program?
Answer: Performance targets are values assigned to specific metrics that indicate acceptable levels of performance. They make it possible to define success in the security program.

14. 15.

List and describe the fields found in a properly and fully defined performance measure. Describe the recommended process for the development of information security measurement program implementation.

16. 17. 18.

Why is a simple list of measurement data usually insufficient when reporting information security measurements? What is the capability maturity model, and which organization is responsible for its development? What is systems

Similar Documents

Premium Essay

Msit 540: Management of Information Security

...SECURITY POLICY for PIXEL, INC. Table of Contents Abstract 3 Purpose 3 Roles and Responsibilities 4 The policy statement 4 Policies specific to Roles 5 Chief Security Officer (CSO) 5 Chief Information Officer (CIO) 5 Pixel Inc. employees 6 Pixel Inc. Business partners 6 Pixel Clients 6 Risk Management 7 Policy 9 Sensitivity 10 General 11 Network Access 11 Network Equipment 14 Desktop Policy 15 Messaging Policy 16 Server Policy 16 Backup 17 Physical Security 18 Enforcement 20 Appendix 22 References 23   Abstract This paper describes the security policy of a fictitious company called Pixel Inc. The Pixel Inc. is a small business with nearly 100 employees with business focus on multi-media. Due to the nature of business, the company uses varying operating systems such as windows, Mac and Linux systems wired over a gigabit Ethernet networking. The security policy focuses on the securing intellectual property on storage and transportation. The usage policies are also devised for desktops and devices. Purpose The information security is crucial for Pixel Inc. to secure its information technology assets. The security is expected to provide protection from unauthorized access of its intellectual properties, system assets, network equipment’s, customer data and business system information. The policy described here is for implementing security practices across Pixel Inc. in everyday use of the information technology assets...

Words: 3640 - Pages: 15

Premium Essay

The Effect of Cyber-Crime and One Way to Fight Back

...attacks per week in 2010 was only around 50. More than 78 percent of the annual cybercrime can be labeled as denial of service, malicious code, malevolent insiders, and stolen or hijacked devices. Businesses have no choice but to spend an increasing amount of money, time, and energy in order to protect themselves against these cyber-attacks that seem to be reaching unsustainable levels. Even though some companies are finding ways to lower the cost of security measures, the cost of time and energy spent cannot be eased. No matter what the solution is, it will always take time to incorporate any security and energy to maintain those securities. Additional key findings include: * Information theft and business disruption continue to represent the highest external costs. On an annual basis, information theft accounts for 44 percent of total external costs, up 4 percent from 2011. Disruption to business or lost productivity accounted for 30 percent of external costs, up 1 percent from 2011. * Deploying advanced security intelligence solutions can mitigate the...

Words: 1928 - Pages: 8

Free Essay

Beth a Grillo - It540 Management of Information Security - Assignment - Unit 2

...Unit 2 Assignment: Security Policy Implementation Beth A. Grillo, MHA, CPC-A July 19th, 2016 IT540-01: Management of Information Security Dr. Kenneth Flick Kaplan University Table of Contents Unit Two Assignment: Security Policy Implementation 3 Part 1: Step 29 3 Part 1: Step 36 3 Part 3: Step 33 4 Part 3: Significance of Strict Password Policy 5 Reference 6 Unit Two Assignment: Security Policy Implementation Part 1: Step 29 Part 1: Step 36 Part 3: Step 33 Part 3: Significance of Strict Password Policy When attempting to protect company information it is important to utilize strict password policies. According to a Guest Contributor on TechRepublic (2006), the need for “an effective password policy is to prevent passwords from being guessed or cracked”. According to Coconut Daily (2013), “Weak passwords are extremely vulnerable to cracking techniques such as a brute force attack, in which a cracker uses an automated tool to try every single possible password or key until the correct one is found. Brute force techniques are extremely effective at cracking short passwords or passwords in a limited search space (such as those based off a dictionary word)”. For example, when working in a medical practice the information being protected is patient personal information. The password policy needs to be strict according to the HIPAA laws. The personal information within the patient’s medical record requires strict password protection. If the...

Words: 297 - Pages: 2

Premium Essay

Information Tech Acts

...Information Technology Acts J Lacy Parson BIS/220 4 Oct 2014 Lisa Paulson Information Technology Acts There were many different acts to choose from. Throughout the years so much as changed in terms of information technology, it seems that every year there are new issues. The most interesting to me were the No Electronic Theft (NET) Act, enacted in 1997 and the Federal Information Security Management Act of 2002. The No Electronic Theft Act protects copyright owners against infringement. According to Indiana University it makes copyrighted material “federal crime to reproduce, distribute, or share copies of electronic copyrighted works such as songs, movies, games, or software programs, even if the person copying or distributing the material acts without commercial purpose and/or receives no private financial gain.” (What is the No Electronic Theft Act 2014) This came from the progression that the internet made. The internet made is so easy to share information or download songs. It was a necessary act in my opinion. With blogs being such a big thing it also protected against someone claiming information as their own. The next very interesting act is the Federal Information Management Security Act of 2002. The act states that; “The Department of Homeland Security activities will include (but will not be limited to): overseeing the government-wide and agency-specific implementation of and reporting on cyber security policies and guidance; overseeing...

Words: 481 - Pages: 2

Premium Essay

Data Breach

...know that their personal data may have been compromised”. (Kirk, 2009) After tons of emails sent out the customers asking for their personal email, Aetna was finally alerted that something was going wrong. This would be a 2nd data lost incident, after an employee laptop was stolen back in 2006. According to About.com Business Security, “Although the data theft took place between June 2004 and October 2007, On May 1, 2009, LexisNexis disclosed a data breach to 32,000 customers”. (Kirk, 2009) As many scammers seem to do the thefts set up fake post office boxes, causing an investigation for the USPS. Scammers are usually smart and seem to find a great way to get around the system and began to hack, as far as Aetna case the scammers retrieved the customer’s emails from the website. Could the breach been prevented? After a hack or scam has been done, everyone wants to point a finger at two of the people or person to blame, but in cases like this who can you really blame? Well According to The federal information Security Management Act (FISMA); which is the Federal Information Security Management Act of...

Words: 623 - Pages: 3

Premium Essay

Computer Fraud

...a dynamic evolution. Changes, modifications, and inventions that have occurred have been part of what has enabled humans to communicate in a more immediate manner, this has been particularly ideal in our work environment . Information technology has been an essential part of this process. As there are huge benefits obtained from technology there have also been issues that have derived from it, such as ethical ones. Several acts have been established in order to have the ability to control those pitfalls identified. Mankind has acknowledged that technology is an ideal part of our work lives as well as our personal lives and has been able to identify and establish boundaries within these to ensure the overall protection of one. CHANGE There was a time in which in order to send another person a memo or a letter it was sent by transporting it with a carriage and horse, patiently one would await a response from the other party which could at times take weeks or months depending on how far the other party was. That changed when motorized vehicles were invented, it was now faster to send and receive those responses, and one would still patiently await the other’s response. We then had airplanes a much faster method of transporting our said information. Nowadays, there is no such thing as waiting patiently for a response! We have electronic mail! With which as soon as we hit the “send” button we expect a reply, within a few minutes of waiting one grows impatient. Technology...

Words: 821 - Pages: 4

Premium Essay

Security Management Literature Review

...long time, university-managements have put much investment in IT security appliances towards improving system security, (Bichanga & Obara, (2014). Despite continued investment in IT security, there is increased frequency at which security of university information systems are getting breached thus compromising productivity and security of information systems that support teaching, learning, administrative and research activities, (Vacca, 2012). Research studies indicate that to ensure better IT security management, a reliable way of determining security status need to be considered besides heavy investment in security appliances, (Mong'ira, 2011). This is supported by Broadbent (2007),...

Words: 962 - Pages: 4

Premium Essay

Jjjjjj

...1 Introduction to the Management of Information Security Chapter Overview The opening chapter establishes the foundation for understanding the field of Information Security. This is accomplished by explaining the importance of information technology and defining who is responsible for protecting an organization’s information assets. In this chapter the student will come to know and understand the definition and key characteristics of information security as well as the come to recognize the characteristics that differentiate information security management from general management. Chapter Objectives When you complete this chapter, you will be able to: • Recognize the importance of information technology and understand who is responsible for protecting an organization’s information assets • Know and understand the definition and key characteristics of information security • Know and understand the definition and key characteristics of leadership and management • Recognize the characteristics that differentiate information security management from general management INTRODUCTION Information technology is the vehicle that stores and transports information—a company’s most valuable resource—from one business unit to another. But what happens if the vehicle breaks down, even for a little while? As businesses have become more fluid, the concept of computer security has been replaced by the concept of information security. Because this new concept...

Words: 2580 - Pages: 11

Premium Essay

Term

...Information Security Program Guide For State Agencies April 2008 Table of Contents INTRODUCTION .......................................................................................................................................................3 A SUGGESTED IMPLEMENTATION STRATEGY .............................................................................................5 SECURITY COMPONENTS ...................................................................................................................................12 RISK MANAGEMENT ................................................................................................................................................12 POLICY MANAGEMENT ............................................................................................................................................14 ORGANIZING INFORMATION SECURITY ....................................................................................................................16 ASSET PROTECTION .................................................................................................................................................18 HUMAN RESOURCES SECURITY ...............................................................................................................................20 PHYSICAL AND ENVIRONMENTAL SECURITY ...........................................................................................................22 COMMUNICATIONS...

Words: 14063 - Pages: 57

Premium Essay

Is2007

...0.1 WHAT IS INFORMATION SECURITY? 0.2 WHY INFORMATION SECURITY IS NEEDED? 0.3 HOW TO ESTABLISH SECURITY REQUIREMENTS 0.4 ASSESSING SECURITY RISKS 0.5 SELECTING CONTROLS 0.6 INFORMATION SECURITY STARTING POINT Information security is defined as the preservation of confidentiality, integrity and availability of information … Information security is defined as the preservation of confidentiality, integrity and availability of information … 0.7 CRITICAL SUCCESS FACTORS 0.8 DEVELOPING YOUR OWN GUIDELINES 1 SCOPE 2 TERMS AND DEFINITIONS 3 STRUCTURE OF THIS STANDARD 3.1 CLAUSES Security controls directly address risks to the organization, therefore risk analysis is a starting point for designing controls. Security controls directly address risks to the organization, therefore risk analysis is a starting point for designing controls. 3.2 MAIN SECURITY CATEGORIES 4 RISK ASSESSMENT AND TREATMENT 4.1 ASSESSING SECURITY RISKS Information security policies, standards, procedures and guidelines drive risk management, security and control requirements throughout the organization Information security policies, standards, procedures and guidelines drive risk management, security and control requirements throughout the organization 4.2 TREATING SECURITY RISKS 5 SECURITY POLICY 5.1 INFORMATION SECURITY POLICY 5.1.1 Information security policy document 5.1.2 Review of the information security policy 6 ORGANIZATION OF INFORMATION SECURITY Defines the...

Words: 1623 - Pages: 7

Premium Essay

Ngineer

...ENISA: Risk Management and Isms activities An information security management system[1] (ISMS) is a set of policies concerned with information security management or IT related risks. The idioms arose primarily out of BS 7799. The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk. Contents * 1 ISMS description * 2 Need for an ISMS * 3 Critical success factors for ISMS * 4 Dynamic issues in ISMS * 5 See also * 6 Notes and references ISMS description As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment. ISO/IEC 27001:2005 therefore incorporated the "Plan-Do-Check-Act" (PDCA), or Deming cycle, approach: * The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls. * The Do phase involves implementing and operating the controls. * The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS. * In the Act phase, changes are made where necessary to bring the ISMS back to peak performance. ISO/IEC 27001:2005 is a risk based information security standard, which means that organizations need to have a risk management process in...

Words: 5234 - Pages: 21

Premium Essay

Security Risk Management Course Paper

...Introduction Information systems have permeated every aspect of today’s society. Information systems allow organizations and people to carry out everyday activities in a much more efficient way. However, due to the increased dependence on information systems, it has become imperative that methodologies and practices are developed to safeguard the data that is stored and used by information systems, as well as the protection of the hardware that runs the information system. Therefore, a proper understanding of risk management and all that it entails is of the utmost importance for every IT professional, regardless of specialization. The purpose of this paper is to identify what risk management is and give an overview of the three phases or undertakings that make up the risk management process and then conclude with a discussion and explanation of the six-step Risk Management Framework (RMF) developed by the Department of Defense and the National Institute of Standards and Technology (NIST) (National Institute of Standards and Technology, 2010). “Risk management is the process of Identifying risks, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level” (Michael E. Whitman, Herbert J. Mattord, 2012, p. 119.). Thus, risk management is merely the ability of a person or organization to implement due diligence and identify any potential issue and develop policies and security measures...

Words: 2778 - Pages: 12

Premium Essay

Marketing and Exports Co-Ordinator

...Strategic component answers the question "why do security enterprise problems exist?" This question of security leads to developing security policies that deal with people issues, and evaluates internal/external risks. Organizations are urging top executives to make information security a priority. Therefore, quality and trustworthiness of information are becoming key business issues (Ezingeard et al, 2005). To better accomplish information security in an organization, a management level infrastructure approach is needed. Just as information and data characteristics are different at the different levels of management, information security has different characteristics at the different levels of management. These levels of management are strategic, tactical, and operational. At the operations level, transaction data is produced and serves as input to create information. Maintaining and monitoring of integrity, confidentiality, and availability of the transaction data are primary objectives which are supported by organizational procedures and guidelines. At the tactical level, information is interpreted and utilized in decision making. Implementations of preventative, detective, and responsive controls are a primary objective which is supported by organizational standards. Further analysis/aggregation of the information creates knowledge to help make strategic level decisions Information security policy provides a framework to ensure that systems are developed and operated in...

Words: 1173 - Pages: 5

Premium Essay

Gggg

...INDIA, CHINA AND AMERICA INSTITUTE 1549 CLAIRMONT ROAD, SUITE 202 ● DECATUR, GA 30033 USA WWW.ICAINSTITUTE.ORG An Exploration of Human Resource Management Information Systems Security Humayun Zafar, Jan G. Clark & Myung S. Ko Journal of Emerging Knowledge on Emerging Markets Volume 3 November 2011 1 Zafar et al.: An Exploration of Human Resource Management Information Systems S Produced by The Berkeley Electronic Press, 2011 2011 JOURNAL OF EMERGING KNOWLEDGE ON EMERGING MARKETS ● WWW.ICAINSTITUTE.ORG PAGE 489 An Exploration of Human Resource Management Information Systems Security Humayun Zafar Kennesaw State University Jan G. Clark The University of Texas at San Antonio Myung S. Ko The University of Texas at San Antonio Journal of Emerging Knowledge on Emerging Markets Volume 3 November 2011 uman resource (HR) information systems are employed extensively by modern day firms. They are designed to support the HR functions such as attracting job applicants (Stone, Lukaszewski, & Isenhour, 2005) automating training and development, managing employee performance, and administering benefits systems (Burkhard, Schooley, Dawson, & Horan, 2010; Strohmeier, 2007). HR information systems can help meet employee needs, streamline operating procedures, reduce operating expenses, and also increase information accuracy and accessibility. They also aid in improving the professional standing of HR professionals in the organization (Hussain, H 2 Journal...

Words: 8453 - Pages: 34

Premium Essay

Kayworth and Whitten 2010 Misqe

...Effective Information Security Requires a Balance of Social and Technology Factors EffEctivE information SEcurity rEquirES MIS Uarterly a BalancE of Social and tEchnology xecutive factorS1,2 Q E Tim Kayworth Baylor University (U.S.) Dwayne Whitten Texas A&M University (U.S.) Executive Summary 2 Industry experts have called for organizations to be more strategic in their approach to information security, yet it has not been clear what such an approach looks like in practice or how firms actually achieve this. To address this issue, we interviewed 21 information security executives from 11 organizations. Our results suggest that a strategically focused information security strategy encompasses not only IT products and solutions but also organizational integration and social alignment mechanisms. Together, these form a framework for a socio-technical approach to information security that achieves three objectives: balancing the need to secure information assets against the need to enable the business, maintaining compliance, and ensuring cultural fit. The article describes these objectives and the security alignment mechanisms needed to achieve them and concludes with guidelines that can be applied to ensure effective information security management in different organizational settings. INFORMATION SECURITY HAS BECOME A STRATEGIC ISSUE Information security continues to be a major concern among corporate executives. The threat of terrorism,...

Words: 7959 - Pages: 32