Exam 15: IT Security Controls, Plans, and Procedures

Periodically reviewing controls to verify that they still function as intended, upgrading controls when new requirements are discovered, ensuring that changes to systems do not adversely affect the controls, and ensuring new threats or vulnerabilities have not become known are all ________ tasks.

Controls can be classified as belonging to one of the following classes: management controls, operational controls, technical controls, detection and recovery controls, preventative controls, and _______ controls.

Operational controls range from simple to complex measures that worktogether to secure critical and sensitive data, information, and IT systems functions.

Controls may vary in size and complexity in relation to theorganization employing them.

_________ is a formal process to ensure that critical assets are sufficiently protected in a cost-effective manner.

The ________ audit process should be conducted on new IT systems and services once they are implanted; and on existing systems periodically, often as part of a wider, general audit of the organization or whenever changes are made to the organization's security policy.

______ checking is an audit process to review the organization's security processes.

The objective of the ________ control category is to counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.

Identification and authentication is part of the _______ class of security controls.

When the implementation is successfully completed, _______ needs to authorize the system for operational use.

A _________ on an organization's IT systems identifies areas needing treatment.

________ controls involve the correct use of hardware and software security capabilities in systems.

________ is a means of managing risk, including policies, procedures, guidelines, practices, or organizational structures.

_______ management is concerned with specifically keeping track of the configuration of each system in use and the changes made to each.

The follow-up stage of the management process includes _________.

To ensure that a suitable level of security is maintained, managementmust follow up the implementation with an evaluation of the effectiveness of the security controls.

Management should conduct a ________ to identify those controls that are most appropriate and provide the greatest benefit to the organization given the available resources.

Appropriate security awareness training for all personnel in anorganization, along with specific training relating to particular systems and controls, is an essential component in implementing controls.

The implementation phase comprises not only the directimplementation of the controls, but also the associated training and general security awareness programs for the organization.

Detection and recovery controls provide a means to restore lostcomputing resources.