Is411 Study Guide

Study Guide IS 411 Shelter Policies and Implementation Issues A mature pur-pose gain not obstruct all browbeatings. Key to determining if a trade gain utensil any pur-pose is consume. Policies foundation the destroy assessment to lessen the consume by providing governs and progresss to induce the destroy. A cheerful-tempered-tempered pur-pose embraces foundation for rational handling. Pg 15 Pur-pose may add confusion to a job but that is not expressive. Unmanagepowerful confusion refers to how compound and realistic the cognizance is. The ability of the construction to foundation the shelter policies gain be an expressive subject. Pg 105 Who should retrospect modifys to a trade race? Pur-pose modify govern consideration, minimally you should embrace populace from notification shelter, consent, audit, HR, example from other trade divorces, and Cognizance Managers (PMs). Pg 172 ------------------------------------------------- Pur-pose – a instrument that states how the construction is to complete and induce trade powers and affairs succeeding a occasion a desired effect. Pur-pose is orderly on a trade requirement (such as legitimate or constructional) ------------------------------------------------- ------------------------------------------------ Scale – an orderly and proven delayedness or arrangement, which can be a procedural scale or a technical scale utensiled construction-wide ------------------------------------------------- ------------------------------------------------- Progress – a written announcement describing the steps required to utensil a race. Procedures are technical steps fascinated to complete pur-pose goals (how-to instrument) ------------------------------------------------- ------------------------------------------------- Guidemethod – a parameter succeeding a occasionin which a pur-pose, scale, or progress is suggested but optionalpg 11-13 Resiliency is a signal used in IT to specify how presently the IT infraconstruction can retrieve. Pg 279. The Recovery Interval Objective (RTO) is the delineation of how presently peculiar trade racees can be retrieveed. Recovery Subject-matter Objectives (RPOs) is the culmirealm acceptpowerful flatten of postulates waste from the subject-matter of the sorrow. The RTO and RPO may not be the selfselfselfsame appraise. Pg 287 Policies are the key to rehearsepowerful bearing. To complete rehearsepowerful bearing you reasonpowerful revere twain deteriorationony and kind. Inadvertence phases to productional deteriorationony: * Adviser * Revere * Retrospect * Track * Improve pg 40 Find ways to lessen destroy through recompense. Recompense refers to how inducement reinforces the appraise of forthcoming policies. An construction should put in settle twain disciplinary actions for not forthcoming policies and recollection for adhering to policies. This could be as mere as noting the flatten of consent to policies in the employee’s annual retrospect. Pg 78 Domain | Key policies and governs| User | Acceptpowerful Use Pur-pose (AUP)E-mail pur-posePrivacy pur-pose – covers material shelterSystem approximation pur-pose – IDs & passwordsAuthorization – Role Base Approximation Govern (RBAC)Authentication – most expressive| Workstation| Microeffeminate sect character form inducer: * Schedule – tracks LAN delayions * Discovery – detects effeminateware and info naturalized for consent * Patch – prevalent patches naturalized * Help desk – unconnected approximation to diagnose, reconfigure, reset IDs * Log – extracts logs to convenient recipient * Shelter – ensures users own poor hues, alerts assumed direct accounts| LAN| Hub – delays multiple cognizancesSwitch – can strain commerceRouter – delays LANs or LAN-WANFirewall – strains commerce in and out of LAN, uniformly used to strain commerce from realmal inhumenet WAN to peculiar LANFlat neteffort – has inforcible or no govern to season neteffort commerceSegmented – seasons what and how computers are powerful to chat to each other by using switches, routers, firewalls, etc. | LAN-WAN| Generally, routers and firewalls are used to delay LAN-WAN. Demilitarized Zone (DMZ) furnish a realmal-facing approximation to the construction, such as realmal websites. DMZ sits betwixt two laminas of firewalls to season commerce betwixt LAN-WAN| WAN| Unsecure realmal Internet. Virtual Peculiar Neteffort (VPN) secure and peculiar encrypted tunnel. Firewalls own readiness to constitute and practise a VPN tunnel. Lower consume, thwart inhumeval for minute to medium companies succeeding a occasion VPN instead of leased method| Unconnected Access| Enhanced user domainRemote exemplification – two ingredient * Something you apprehend (id/password) * Something you own (secure index) * Something you are (biometric)VPN client communicates succeeding a occasion VPN hardware for tunneling, client-to-birth VPN:Maintains exemplification, privateity, probity and nonrepudiation. | System/Application| Impression effeminateware is the disposition of all trade impressions. Impression transmits the affair to server. Postulates Waste Protection (DLP) or Postulates Leakage Protection (DLP) refers to a program that lessens the presumption of quantitative or intolerant waste of postulates. DLP involves schedule, perimeter (fortified at endpoints) and encryption of ductile cognizances. Pg 67| Motivation – conceit (effort is expressive), self-interest (rehearse bearing recompenseed, most expressive pg 326), and achievement (winning, ghostly, effeminate skills). Pg 91 Adherent inducement foundation is delicate in superior hindrances. A closing of foundation makes utensiling shelter policies impracticable. Listen to adherent deficiencys and oration in pur-pose. Pg 341 Shelter policies let your construction set rules to lessen destroy to notification estate. Pg 22. Three most contemptible shelter governs are: * Material – obstruct approximation to cognizance * Administrative – procedural govern such as shelter awareness trailing * Technical – effeminateware such as antivirus, firewalls, and hardware pg 27 Information Sect Shelter (ISS) is the act of indemnifying notification and the sects that assign-of-matter and race it. Notification Assurance (IA) focuses on indemnifying notification during race and use. Shelter articles apprehendn as the five pillars of the IA model: * Confidentiality * Probity * Availability * Exemplification * Nonrepudiation Pur-pose must be plainly written. Unclear aim refers to the clarity of appraise a cognizance brings. In the subject of shelter policies, it’s expressive to inform how these policies gain lessen destroy. It’s contemporaneously expressive to inform how the policies were superficial in a way that repress the trade consume and impression low. Pg 104 ------------------------------------------------ Gathering of notification inducement is the unmarried subject-matter of apposition beneath obligation for postulates kind succeeding a occasionin the exploit. ------------------------------------------------- ------------------------------------------------- Postulates stewards are peculiars beneath obligation for postulates kind succeeding a occasion a trade divorce. ------------------------------------------------- ------------------------------------------------- Postulates administrators complete policies and progresss such as backup, versioning, up/down loading, and postulatesbase government. ------------------------------------------------- ------------------------------------------------- Data shelter administrators imdivorce approximation hues and assess browbeatings in IA programs. Pg 188 ------------------------------------------------- ------------------------------------------------- Notification shelter superintendent identifies, educes and utensils shelter policies. ------------------------------------------------- ------------------------------------------------- Postulates proprietors approves approximation hues to notification. ------------------------------------------------- ------------------------------------------------- Postulates inducer beneath obligation for progresss how postulates should be handled and classified. ------------------------------------------------- ------------------------------------------------- Data celebrateer peculiar beneath obligation for day-to-day defence, imdivorce approximation orderly on postulates proprietor, backups, and retrieve, practise postulates character and impressions. ------------------------------------------------- ------------------------------------------------- Postulates user end user of an impression. ------------------------------------------------- ------------------------------------------------- Voucher are inhume or superficial peculiar who assess the contemplation and usefulness of shelter policies. Pg 115 Separation of obligation law – responsibilities and privileges should be disjoined to obstruct a appropriate or a minute order of collaborating populace from inappropriately governling multiple key aspects of a race and causing deterioration or waste. Pg 156 Internal govern law – notification shelter forms the nucleus of an construction’s notification inhumenal govern sects. Regulations precept that inhumenal govern sects be in settle and playing appropriately. Organizations trust on technology to practise trade registers. It’s induced that such technology embrace inhumenal govern mechanisms. These practise the probity of the notification and enact a gentleman paint of the construction’s activities. Pg 155 Lines of shelter in the benefit sector: 1. Trade Divorce (BU) deals succeeding a occasion governling destroy daily, lessen destroy when potential. Develops crave and imperfect-signal strategies, undeviatingly answerable. 2. Exploit Destroy Oration (ERM) program, team owns the destroy race. Provides direction to BU, aligns policies succeeding a occasion posse goals, inadvertence of destroy committees and destroy initiatives. 3. Independent voucher assures consideration and adherent inducement the destroy power is contemplationed and efforting well-behaved. Pg 192 Soundness Insurance Portability and Accountability Act (HIPAA) secures a appropriate’s seclusion. HIPAA defines someone’s soundness chronicles as fortified soundness notification (PHI). HIPAA institutees how PHI can be attentive, raceed and disclosed and furnishs penalties for violations. Soundness concern clearinghouses race and fit billing. Pg 50 Adherent inducement is ultimately beneath obligation for ensuring that postulates is fortified. Information sects shelter construction urges shelter policies at a program flatten. The team is accountpowerful for identifying violations of policies. The front-method inducer/supervisor urges shelter policies at an employee flatten. Employees are beneath obligation for intellect their roles and the shelter policies. They are accountpowerful for forthcoming those policies. Employees can stagnant be held lipowerful for violations of the law. Employees can be prosecuted for illegitimate acts. Sampling of key roles to urge shelter policies: * General counsel- urges legitimate obligatory covenants * Adherent inducement- utensils exploit destroy inducement * Cosmical instrument- urges disciplinary actions Notification sects shelter construction- urges polices at program flatten * Front-method inducer/supervisor- urges policies at employee flatten pg 366 A Privileged-flatten Approximation Covenant (PAA) is contemplationed to lift-up the awareness and accountability of those users who own administrative hues. Shelter Awareness Pur-pose (SAP) laws can outmethod the abundance and target hearers. Acceptpowerful Use Pur-pose (AUP) defines the prepared uses of computer and networks. A cheerful-tempered-tempered AUP should acposse shelter awareness trailing. Pg 220 Auditors are feared??? Contractors give-in succeeding a occasion the selfselfselfsame shelter policies as any other employee (such as an AUP). There may be affixed pur-pose requirements on a contractor such as appropriate non-disclosure covenant and deeper setting checks. Pg 215 Data Class| Class Description| Recovery Period| Examples| Critical| Postulates must be retrieveed presently| 30 minutes| Website, customer registers| Urgent| Postulates can be retrieveed later| 48 hrs| e-mail backups| Non-vital| Not paramount for daily productions| 30 days| Historical registers, chronicles pg 263| U. S. soldierly sect – realm shelter notification instrument EO 12356. * Top beneathdosed – pressing detriment to realmal shelter * Underdosed – forcible detriment to NS * Private – producer detriment to NS * Sensitive but classified – private postulates beneath insubservience of notification act * Unclassified – availpowerful to the realmal A Trade Simultaneousness Pur-pose (BCP) pur-pose constitutes a pur-pose to live trade succeeding a sorrow. Elements embrace key assumptions, accountabilities, abundance of testing and divorce embraces BIA. Business Impression Segregation (BIA) aim is to enumerate the impression to an construction in the luminous that key racees and technology are not helpful. Estate embrace delicate instrument, sects, facilities, appropriatenel, and registers. Pg 278 Desired results of the BIA embrace: * A schedule of delicate racees and dependencies * A effort race of racees that embrace cosmical req to retrieve key estate * Segregation of legitimate and regulatory requirements * A schedule of delicate vendors and foundation covenants * An revere of the culmirealm allowpowerful downinterval pg 286 Sorrow Recovery Pur-pose (DRP) is the policies and instrumentation deficiencyed for an construction to retrieve its IT estate succeeding a sorrow (divorce of BCP). Pg 288 Governance – requires a brawny governance construction in settle. This embraces affected tidingsing to the consideration of directors. Most considerations assent-to affected GLBA tidingsing through the audit committee. The gathering of notification shelter usually writes this tidings each pity. Pg 51 An Rational Counterpart Team (IRT) is appropriateized order of populace whose aim is to answer to greater rationals. The IRT is typically a cross-functional (opposed skills) team. Pg 297. Contemptible IRT members embrace: * Notification technology SMEs * Notification shelter enactative * HR * Legitimate * PR * Trade simultaneousness enactative * Postulates proprietor * Oration * Emergency benefits (normally succeeding a occasionout performance i. e. olice) pg 302 Visa requires its merchants to tidings shelter rationals involving cardholder postulates. Visa classifies rationals into the forthcoming categories: * Intolerant order onsets * Denial of benefit (DOS) * Unacknowledged approximation/theft * Neteffort reconnaissance prove pg 299 Declare an rational, educe a counterpart/progress to govern the rational. Before a counterpart can be formulated, a argument deficiencys to be made. This involves whether to presently chase the onseter or secure the construction. Having a protocol in degree succeeding a occasion inducement can institute priorities and accelerate a judgment. It is expressive to own a set of counterparts prepared in degree. Allowing the onseter to live furnishs exemplification on the onset. The most contemptible counterpart is to plug the onset as presently as potential. Pg 309 How do you accumulate postulates? A trained appropriateist accumulates the notification. A obligation of guardianship is orderly and instrumented. Digital exemplification, charm a bit effigy of machines and estimate a hash appraise. The hash appraise is inducedly a fingerprint of the effigy. IRT coordinator practises exemplification log and merely copies are logged out for retrospect. Pg 311 Why do policies fall-short? Without ropy foundation from all flattens of the construction, reply and urgement gain fall-short. Pg 19 Which law allows companies to adviser employees? The Electronic Communication Seclusion Act (ECPA) gives employers the fit to adviser employees in the sordidplace race of trade. Pg 356 Pur-pose urgement can be civil through automation or manual governs. Automated governs are consume fertile for enlightened volumes of effort that deficiency to be completeed suitably. A imperfect schedule of separate contemptible automated governs: * Exemplification arrangements * Authorization arrangements * Postulates encryption * Logging luminouss * Postulates segmentation * Neteffort segmentation pg 361 Microeffeminate Basemethod Shelter Analyzer (MBSA) is a unobstructed download that can inquiry sects for contemptible vulnerabilities. It starts by downloading an up to continuance XML polish. This polish embraces apprehendn vulnerabilities and indemnify patches. Pg 378 Business Simultaneousness Pur-pose (BCP) maintain trade during sorrow Simultaneousness of Operations Pur-pose (COOP) foundation strategic powers during sorrow Sorrow Recovery Pur-pose (DRP) pur-pose to retrieve readiness at fluctuate birth during sorrow Trade Recovery Pur-pose (BRP) retrieve production presently forthcoming sorrow Occupant Emergency Pur-pose (OEP) pur-pose to minimize waste of vivacity or deterioration and secure estate from material browbeating pg 292 Extra notes: There are two marks of SAS 70 audits: * Mark 1 - is basically a contemplation retrospect of governs. * Mark II – embraces mark 1 and the governs are tested to see if they effort. Pg 61 Governance, Destroy inducement, and Consent (GRC) and Exploit Destroy Oration (ERM) twain to govern destroy. ERM charms a expansive appear at destroy, occasion GRC is technology focused. GRC top three best frameworks are ISO 27000 sequence, COBIT, COSO. Pg 197 Rational injustice sect: * Injustice 4 – minute number of sect proves or scans detected. An unadorned illustration of a virus. Luminous handled by automated governs. No unacknowledged ardor detected. * Injustice 3 – forcible proves or scans. Widespread virus ardor. Luminous requires manual inhumevention. No unacknowledged ardor detected. * Injustice 2 – DOS detected succeeding a occasion poor impression. automated governs fall-shorted to obstruct luminous. No unacknowledged ardor detected. * Injustice 1 – achievementful discrimination or DOS onset succeeding a occasion forcible dissension. Or unacknowledged ardor detected. Pg 308 To revere the usefulness embrace IRT charter goals and analytics. Metrics are: * Number of rationals * Number of rehearse rationals (signifies closing of trailing) * Interval to embrace per rational (every rational is diff, meanest expressive) * Financial impression to the construction (most expressive to inducement) Glossary signals Bolt-on refers to adding notification shelter as a detached lamina of govern succeeding the reality. Trade Impression Segregation (BIA) a affected segregation to enumerate the impression in the luminous key racees and technology are not helpful. Committee of Sponsoring Organizations (COSO) focuses on financial and destroy inducement. Control Objectives for Notification and kindred Technology (COBIT) frameeffort that brings contemporaneously trade and govern requirements succeeding a occasion technical issues. Detective govern is a manual govern that identifies a bearing succeeding it has happened. Federal Desktop Nucleus Form (FDCC) a scale effigy preceptd in any federal performance. Effigy locks down the playing sect succeeding a occasion inequitable shelter settings. Firecall-ID a race imparting exorbitant hues temporarily to direct a whole. Flat neteffort has inforcible or no governs to season neteffort commerce. Notification Technology and Infraconstruction Library a frameeffort that embraces significant schedule of concepts, practices and racees for managing IT benefits. IRT coordinator instruments all activities during an rational, authoritative scribe. IRT inducer makes all the definite calls on how to answer, inhumeface succeeding a occasion inducement. Non-disclosure Covenant (NDA) so apprehendn as a privateity covenant. Octave is an acronym for Operationally Delicate Threat, Asset, and Vulnerability Evaluation. ISS frameeffort consisting of tools, techniques, and arrangements. Pretexting is when a hacker drafts a relation in which the employee is asked to show notification that weakens the shelter. Shelter Content Automation Protocol (SCAP) NIST spec for how shelter effeminateware products revere, evaluate and tidings consent. Supervisory Govern and Postulates Acquisition (SCADA) sect hardware and effeminateware that accumulates delicate postulates to repress a readiness playing.