Deck 15: It Security Controls, plans, and Procedures

Detection and recovery controls provide a means to restore lost
computing resources.

The selection of recommended controls is not guided by legal
requirements.

The implementation phase comprises not only the direct
implementation of the controls,but also the associated training and general security awareness programs for the organization.

Water damage protection is included in security controls.

To ensure that a suitable level of security is maintained,management
must follow up the implementation with an evaluation of the effectiveness of the security controls.

All controls are applicable to all technologies.

Appropriate security awareness training for all personnel in an
organization,along with specific training relating to particular systems and controls,is an essential component in implementing controls.

The IT security management process ends with the implementation of
controls and the training of personnel.

Management controls refer to issues that management needs to address.

Once in place controls cannot be adjusted,regardless of the results of
risk assessment of systems in the organization.

Operational controls range from simple to complex measures that work
together to secure critical and sensitive data,information,and IT systems functions.

Physical access or environmental controls are only relevant to areas
housing the relevant equipment.

The recommended controls need to be compatible with the
organization's systems and policies.

It is likely that the organization will not have the resources to
implement all the recommended controls.

Controls may vary in size and complexity in relation to the
organization employing them.

________ is a means of managing risk,including policies,procedures,guidelines,practices,or organizational structures.

_______ management is the process used to review proposed changes to systems for implications on the organization's systems and use.

The _________ controls focus on the response to a security breach,by warning of violations or attempted violations of security policies or the identified exploit of a vulnerability and by providing means to restore the resulting lost computing resources.

The _______ plan documents what needs to be done for each selected control,along with the personnel responsible,and the resources and time frame to be used.

A _________ on an organization's IT systems identifies areas needing treatment.

_______ management is concerned with specifically keeping track of the configuration of each system in use and the changes made to each.

When the implementation is successfully completed,_______ needs to authorize the system for operational use.

Controls can be classified as belonging to one of the following classes: management controls,__________,and technical controls.

________ controls involve the correct use of hardware and software security capabilities in systems.

______ checking is an audit process to review the organization's security processes.

Controls can be classified as belonging to one of the following classes: management controls,operational controls,technical controls,detection and recovery controls,preventative controls,and _______ controls.

Contingency planning falls into the _________ class of security controls.

Incident response is part of the ________ class of security controls.

_________ controls focus on preventing security beaches from occurring by inhibiting attempts to violate security policies or exploit a vulnerability.

The ________ audit process should be conducted on new IT systems and services once they are implanted; and on existing systems periodically,often as part of a wider,general audit of the organization or whenever changes are made to the organization's security policy.