Creating a blueprint by looking at the paths taken by organizations similar to the one whose plan you are developing. Using this method you follow the recommended or existing practices of a similar organization or industry-developed standards. 2. What is the standard of due care? How does it relate to due diligence? Due care are the organizations that adopt minimum levels of security to establish a future legal defense may need to prove that they have done what any prudent organization would do in similar circumstances. Due diligence encompasses a requirement that the implemented standards continue to provide the required level of protection.
Failure to establish and maintain standards of due care and due diligence can expose an organization to legal liability, if it can be shown that the organization was negligent in its application or lack of application of information protection. 3. What is a recommended security practice? What is a good source for finding such recommended practices? Recommended security practice are security efforts that seek to provide a superior level of performance in the protection of information are called recommended business practices, or best practices. Security efforts done at their best in the industry are termed best security practices.
The federal government has a web site that allows government agencies to share their best security practices with other agencies. http://csrc. nist. gov originated with Federal Agency Security Project (FASP) that also contains other guidelines, policies, procedures, and practices. These security policies can also be applied in the public and private sectors. Another source of a web site on recommended security practices is the Computer Emergency Response Team (CERT) at Carnegie Mellon University. 4. What is a gold standard in information security practices? Where can you find published criteria for it?
It is a model level of performance that demonstrates industrial leadership, quality, and concern for the protection of information. While some public information on recommended practices is available, no published criteria for a gold standard exists. 5. When selecting recommended practices, what criteria should you use? Consider the following: Does your organization resemble the target organization of the recommended practice? Are you in a similar industry as the target of the recommended practice? A strategy that works well in the manufacturing sector might have little relevance to a nonprofit organization.
Do you face similar challenges as the target of the recommended practice? Is your organizational structure similar to the target of the recommended practice? Can your organization expend resources at the level required by the recommended practice? A recommended practice that demands funding beyond what your organization can afford is of limited value. Is your threat environment similar to the one assumed by the recommended practice? Recommended practices that are months or even weeks old may not answer the current threat environment. 6. When choosing recommended practices, what limitations should you keep in mind?
Organizations don’t communicate about attacks. It’s a failure causing an information barrier due to the lack of sharing that hurts the industry. Another thing is that a recommended practice that may work well for one organization may not in another organization with different variables in. There is a limitation to lessons that could help in the current strategy to address problems. A third problem is that recommended practices are a moving target. Knowing what happened a few years ago does not necessarily tell you what to do next. Preparing for past threats does not protect you from what lies ahead.
Security programs must continually keep abreast of new threats and other organizational technologies in order to combat them. 7. What is baselining? How does it differ from benchmarking? A baseline is a “value or profile of a performance metric against which changes in the performance metric can be usefully compared. ” It is the process of measuring against established standards. In information security, baseline measurements of security activities and events are used to evaluate the organizations future security performance. Used in this way, baselining can provide the foundation for internal benchmarking.
Benchmarking can help to determine which controls should be considered, but it cannot determine how those controls should be implemented in your organization. 8. What are the NIST-recommended documents that support the process of baselining? Documents are available at http://csrc. nist. gov under the Special Publications link. SP 800-27 Revision A, Engineering Principles for Information Technology Security -A Baseline for Achieving Security. SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations.
SP 800-53 A, Guide for Assessing the Security Controls in Federal Information Systems. 9. What is a performance measure in the context of information security management? Measures are data points or computed trends that may indicate the effectiveness of security countermeasures or controls – technical and managerial – as implemented in the organization. It is the process of designing, implementing, and managing the use of the collected data elements called measures to determine the effectiveness of the overall security program within the organization. 10.
What types of measures are used for information security management measurement programs? There are three types of measures. Those that determine the effectiveness of the execution of information security policy, most commonly issue-specific security policies. Those that determine the effectiveness and/or efficiency of the delivery of information security services, whether they be managerial services such as security training, or technical services such as the installation of antivirus software. Those that assess the impact of an incident or other security event on the organization or its mission.
11. According to Dr. Kovacich, what are the critical questions to be kept in mind when developing a measurements program? Why should these statistics be collected? What specific statistics will be collected? How will these statistics be collected? When will these statistics be collected? Who will collect these statistics? Where (at what point in the function s process) will these statistics be collected? 12. What factors are critical to the success of an information security performance program? Four factors are critical to the success of an information security performance program.
Strong upper level management support- critical not only for the success of the program but also for the programs implementation. Practical information security policies and procedures – specify the information security management structure, identify key responsibilities, and lay the foundation to reliably measure progress and compliance. Quantifiable performance measures – designed to capture and provide meaningful performance data. Based on information security performance goals and objectives, easily obtainable, and feasible to measure.
Results oriented measures analysis-used to apply lessons learned, improve effectiveness of existing security controls, and plan for the implementation of future security controls to meet new information security requirements as they occur. 14. List and describe the fields found in a properly and fully defined performance measure. The fields within the performance measure are Measure ID, a goal, measure, measure type, formula, target, implementation evidence, frequency, responsible parties, data source, and reporting format. 15.
Describe the recommended process for the development of information security measurement program implementation. The process for performance measures implementation recommended by NIST involves six subordinate tasks in Figure 7-2. Phase 1: Prepare for data collection; identify, define, develop, and select information security measures. Phase 2: Collect data and analyze results; collect, aggregate, and consolidate metric data collection and compare measurements with targets (gap analysis). Phase 3: Identify corrective actions; develop a plan to serve as the roadmap for closing the gap identified in phase 2.
This includes determining the range of corrective actions, prioritizing corrective actions based on overall risk mitigation goals, and selecting the most appropriate corrective actions. Phases 4: Develop the business case. Phase 5: Obtain resources; address the budgeting cycle for acquiring resources needed to implement remediation actions identified in phase 3. Phase 6: Apply corrective actions; close the gap by implementing the recommended corrective actions in the s in the security program or in the security controls. 16.
Why is a simple list of measurement data usually insufficient when reporting information security measurements? The reporting mechanism can and needs to provide the context for the values in a report and you must make decisions about how to present correlated metrics – whether to use pie, line, bar, scatter, or bar charts, and which colors denote which kinds of results. 17. What is the capability maturity model, and which organization is responsible for its development? The Capability Maturity Model Integrated (CMMI) is designed specifically to
integrate organizations process improvement activities across disciplines. Highlighting the benefits of integrated process improvement, explaining key features of the new, integrated approach to process improvement. The Software Engineering Institute at Carnegie Mellon provided support and development of the capability maturity model. 18. What is systems accreditation? In security management, accreditation is the authorization of an IT system to process, store, or transmit information. Accreditation is issued by a management official and serves as a means of assuring that systems are of adequate quality.
19. What is systems certification? Certification is defined as “the comprehensive evaluation of the technical and nontechnical security controls of an IT system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements. ” 20. Which reference document describes the new initiative for certification and accreditation of federal IT systems? The NIST SP 800-37 guidelines provide the security certification and accreditation (C& A) initiative offers for the federal information technology systems.