Deck 15: IT Security Controls, Plans, and Procedures

All controls are applicable to all technologies.

The IT security management process ends with the implementation ofcontrols and the training of personnel.

Detection and recovery controls provide a means to restore lostcomputing resources.

The implementation phase comprises not only the directimplementation of the controls, but also the associated training and general security awareness programs for the organization.

It is likely that the organization will not have the resources toimplement all the recommended controls.

To ensure that a suitable level of security is maintained, managementmust follow up the implementation with an evaluation of the effectiveness of the security controls.

Water damage protection is included in security controls.

Physical access or environmental controls are only relevant to areashousing the relevant equipment.

The recommended controls need to be compatible with theorganization's systems and policies.

The selection of recommended controls is not guided by legalrequirements.

Controls may vary in size and complexity in relation to theorganization employing them.

Once in place controls cannot be adjusted, regardless of the results ofrisk assessment of systems in the organization.

Management controls refer to issues that management needs to address.

Appropriate security awareness training for all personnel in anorganization, along with specific training relating to particular systems and controls, is an essential component in implementing controls.

________ is a means of managing risk, including policies, procedures, guidelines, practices, or organizational structures.

The _______ plan documents what needs to be done for each selected control, along with the personnel responsible, and the resources and time frame to be used.

_______ management is the process used to review proposed changes to systems for implications on the organization's systems and use.

_______ management is concerned with specifically keeping track of the configuration of each system in use and the changes made to each.

The _________ controls focus on the response to a security breach, by warning of violations or attempted violations of security policies or the identified exploit of a vulnerability and by providing means to restore the resulting lost computing resources.

A _________ on an organization's IT systems identifies areas needing treatment.

______ checking is an audit process to review the organization's security processes.

________ controls involve the correct use of hardware and software security capabilities in systems.

The three steps for IT security management controls and implementation are: prioritize risks, respond to risks, and __________ .

When the implementation is successfully completed, _______ needs to authorize the system for operational use.

Contingency planning falls into the _________ class of security controls.

Controls can be classified as belonging to one of the following classes: management controls, operational controls, technical controls, detection and recovery controls, preventative controls, and _______ controls.

The ________ audit process should be conducted on new IT systems and services once they are implanted; and on existing systems periodically, often as part of a wider, general audit of the organization or whenever changes are made to the organization's security policy.

_________ controls focus on preventing security beaches from occurring by inhibiting attempts to violate security policies or exploit a vulnerability.

Incident response is part of the ________ class of security controls.