Exam 15: It Security Controls, plans, and Procedures

Controls can be classified as belonging to one of the following classes: management controls,operational controls,technical controls,detection and recovery controls,preventative controls,and _______ controls.

The ________ audit process should be conducted on new IT systems and services once they are implanted; and on existing systems periodically,often as part of a wider,general audit of the organization or whenever changes are made to the organization's security policy.

______ checking is an audit process to review the organization's security processes.

A contingency plan for systems critical to a large organization would be _________ than that for a small business.

The _______ plan documents what needs to be done for each selected control,along with the personnel responsible,and the resources and time frame to be used.

Management controls refer to issues that management needs to address.

_________ controls focus on preventing security beaches from occurring by inhibiting attempts to violate security policies or exploit a vulnerability.

_______ management is concerned with specifically keeping track of the configuration of each system in use and the changes made to each.

Contingency planning falls into the _________ class of security controls.

The implementation process is typically monitored by the organizational ______.

_________ is a formal process to ensure that critical assets are sufficiently protected in a cost-effective manner.

________ is a means of managing risk,including policies,procedures,guidelines,practices,or organizational structures.

Physical access or environmental controls are only relevant to areas housing the relevant equipment.

Appropriate security awareness training for all personnel in an organization,along with specific training relating to particular systems and controls,is an essential component in implementing controls.

Periodically reviewing controls to verify that they still function as intended,upgrading controls when new requirements are discovered,ensuring that changes to systems do not adversely affect the controls,and ensuring new threats or vulnerabilities have not become known are all ________ tasks.

The IT security management process ends with the implementation of controls and the training of personnel.

When the implementation is successfully completed,_______ needs to authorize the system for operational use.

The implementation phase comprises not only the direct implementation of the controls,but also the associated training and general security awareness programs for the organization.

Controls may vary in size and complexity in relation to the organization employing them.

Management should conduct a ________ to identify those controls that are most appropriate and provide the greatest benefit to the organization given the available resources.