How can we help?

You can also find more resources in our Help Center.

49 terms

Management of Information Security Chapter 5

Chapter 5 of Management of Information Security, 3rd ed., Whitman and Mattford
STUDY
PLAY
Information security program
____ is the term used to describe the structure and organization of the effort that strives to contain the risks to the information assets of the organization.
Help Desk
____________________ personnel are the front line of incident response, as they may be able to diagnose and recognize an attack while handling calls from users having problems with their computers, the network, or Internet connections.
CISO
The ____ is primarily responsible for the assessment, management, and implementation of the program that secures the organization's information.
consultant
The information security ____ is typically an expert in some aspect of information security, who is brought in when the organization makes the decision to outsource one or more aspects of its security program.
Identify program scope, goals, and objectives
Identify training staff
Identify target audiences
Motivate management and employees
Administer the program
Maintain the program
Evaluate the program
List the steps of the seven-step methodology for implementing training.
False
The Computer Security Act of 1987 requires federal agencies to provide mandatory periodic training in computer security encryption and accepted computer practices to all employees involved with the management, use, or operation of their computer systems.
training
Security ____________________ involves providing members of the organization with detailed information and hands-on instruction to enable them to perform their duties securely.
may not be sufficiently responsive to the needs of all trainees
A disadvantage of offering training in a formal class is that it ____.
security awareness
The three elements of a SETA program are security education, security training, and ____________________.
11%
On average, the security budget of a medium-sized organization is ____ of the total IT budget.
False
Individuals who perform routine monitoring activities are called security technicians.
one person
The typical security staff in a small organization consists of ____.
poster
Keys to a good security ____________________ series include varying the content and keeping posters updated.
On-the-job training
Which of the following training methods uses a sink-or-swim approach?
security administrator
The responsibilities of the ____ are a combination of the responsibilities of a security technician and a security manager.
top computing executive or Chief Information Officer
In large organizations the information security department is often headed by the CISO who reports directly to the ____.
technology product
Advanced technical training can be selected or developed based on job category, job function, or ____.
definers
A study of information security positions found that positions can be classified into one of three types: ____________________ provide the policies, guidelines, and standards. They're the people who do the consulting and the risk assessment, who develop the product and technical architectures.
builders
A study of information security positions found that positions can be classified into one of three types: ____________________ are the real technical types, who create and install security solutions.
True
Effective training and awareness programs make employees accountable for their actions.
False
According to Charles Cresson Wood, "Reporting directly to top management is not advisable for the Information Security Department Manager [or CISO] because it impedes objectivity and the ability to perceive what's truly in the best interest of the organization as a whole, rather than what's in the best interest of a particular department."
False
Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments.
True
A security technician is usually an entry-level position.
True
In informing and preparing employees for their role in information security, security awareness provides the "what", training provides the "how" and education provides the "why".
True
Security managers are accountable for the day-to-day operation of the information security program.
False
Threats from insiders are more likely in a small organization than in a large one.
technology product
The three methods for selecting or developing advanced technical training are by job category, by job function, and by ____________________.
reduce the incidence of accidental security breaches
The security education, training, and awareness (SETA) program is designed to ____ by/of members of the organization.
security awareness
A SETA program consists of three elements: security education, security training, and ____.
security training
Employee behavior that endangers the security of the organization's information can be modified through security awareness and ____________________.
CISO
Security managers commonly report to the ____.
security administrator
The security analyst is a specialized ____.
False
One of the most commonly implemented but least effective security methods is the security awareness program.
False
The professional agencies such as SANS, ISC2, ISSA and CSI offer industry training conferences and programs that are ideal for the average employee.
False
Security education involves providing members of the organization with detailed information and hands-on instruction to enable them to perform their duties securely.
identify program scope, goals, and objectives
Which of the following is the first step in the process of implementing training?
False
An organization's size is the variable that has the greatest influence on the structure of the organization's information security program.
information security
An organization's ____________________ program refers to the structure and organization of the effort that strives to contain the risks to the information assets of the organization.
True
In small organizations, security training and awareness is most commonly conducted on a one-on-one basis.
newsletter
A security ____________________ is the most cost-effective method of disseminating security information and news to employees.
True
Organizations with complex IT infrastructures are likely to require more information security support than those with less complex infrastructures.
True
To their advantage, some observers feel that small organizations avoid some threats precisely because of their small size.
True
A security trinket program is one of the most expensive security awareness programs.
True
A convenient time to conduct training for general users is during employee orientation.
A security technician
Which of the following would be responsible for configuring firewalls and IDSs, implementing security software, and diagnosing and troubleshooting problems?
GGG (guards, gates, and guns)
Security officers and investigators are part of the ____________________ aspect of security.
True
In large organizations, it is recommended to separate information security functions into four areas, including: non-technology business functions, IT functions, information security customer service functions and information security compliance enforcement functions.
True
The purpose of the CAEIAE program is to enhance security by building in-depth knowledge, by developing security-related skills and knowledge, by improving awareness of the need to protect system resources.
assessment
An organization carries out a risk ____________________ function to evaluate risks present in IT initiatives and/or systems.