Information security program
____ is the term used to describe the structure and organization of the effort that strives to contain the risks to the information assets of the organization.
____________________ personnel are the front line of incident response, as they may be able to diagnose and recognize an attack while handling calls from users having problems with their computers, the network, or Internet connections.
The ____ is primarily responsible for the assessment, management, and implementation of the program that secures the organization's information.
The information security ____ is typically an expert in some aspect of information security, who is brought in when the organization makes the decision to outsource one or more aspects of its security program.
Identify program scope, goals, and objectives
Identify training staff
Identify target audiences
Motivate management and employees
Administer the program
Maintain the program
Evaluate the program
List the steps of the seven-step methodology for implementing training.
The Computer Security Act of 1987 requires federal agencies to provide mandatory periodic training in computer security encryption and accepted computer practices to all employees involved with the management, use, or operation of their computer systems.
Security ____________________ involves providing members of the organization with detailed information and hands-on instruction to enable them to perform their duties securely.
may not be sufficiently responsive to the needs of all trainees
A disadvantage of offering training in a formal class is that it ____.
The three elements of a SETA program are security education, security training, and ____________________.
Keys to a good security ____________________ series include varying the content and keeping posters updated.
The responsibilities of the ____ are a combination of the responsibilities of a security technician and a security manager.
top computing executive or Chief Information Officer
In large organizations the information security department is often headed by the CISO who reports directly to the ____.
Advanced technical training can be selected or developed based on job category, job function, or ____.
A study of information security positions found that positions can be classified into one of three types: ____________________ provide the policies, guidelines, and standards. They're the people who do the consulting and the risk assessment, who develop the product and technical architectures.
A study of information security positions found that positions can be classified into one of three types: ____________________ are the real technical types, who create and install security solutions.
According to Charles Cresson Wood, "Reporting directly to top management is not advisable for the Information Security Department Manager [or CISO] because it impedes objectivity and the ability to perceive what's truly in the best interest of the organization as a whole, rather than what's in the best interest of a particular department."
Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments.
In informing and preparing employees for their role in information security, security awareness provides the "what", training provides the "how" and education provides the "why".
Security managers are accountable for the day-to-day operation of the information security program.
The three methods for selecting or developing advanced technical training are by job category, by job function, and by ____________________.
reduce the incidence of accidental security breaches
The security education, training, and awareness (SETA) program is designed to ____ by/of members of the organization.
A SETA program consists of three elements: security education, security training, and ____.
Employee behavior that endangers the security of the organization's information can be modified through security awareness and ____________________.
One of the most commonly implemented but least effective security methods is the security awareness program.
The professional agencies such as SANS, ISC2, ISSA and CSI offer industry training conferences and programs that are ideal for the average employee.
Security education involves providing members of the organization with detailed information and hands-on instruction to enable them to perform their duties securely.
identify program scope, goals, and objectives
Which of the following is the first step in the process of implementing training?
An organization's size is the variable that has the greatest influence on the structure of the organization's information security program.
An organization's ____________________ program refers to the structure and organization of the effort that strives to contain the risks to the information assets of the organization.
In small organizations, security training and awareness is most commonly conducted on a one-on-one basis.
A security ____________________ is the most cost-effective method of disseminating security information and news to employees.
Organizations with complex IT infrastructures are likely to require more information security support than those with less complex infrastructures.
To their advantage, some observers feel that small organizations avoid some threats precisely because of their small size.
A security technician
Which of the following would be responsible for configuring firewalls and IDSs, implementing security software, and diagnosing and troubleshooting problems?
GGG (guards, gates, and guns)
Security officers and investigators are part of the ____________________ aspect of security.
In large organizations, it is recommended to separate information security functions into four areas, including: non-technology business functions, IT functions, information security customer service functions and information security compliance enforcement functions.
The purpose of the CAEIAE program is to enhance security by building in-depth knowledge, by developing security-related skills and knowledge, by improving awareness of the need to protect system resources.