The flashcards below were created by user
on FreezingBlue Flashcards.
What are the aspects of Security Administration?
Planning, Risk Analysis, Policy, Physical Control
What is a document describing how an org will address it's security needs?
A Security Plan should include(6)?
Policy, Current State, Requirements, Recommended Controls, Accountability, Timetable, Continuing Attention
high level statement and should specify goals, responsibility, and commitment
Who gets access, What resources should be accessed, What types of access for each user per resource
In policy a high level statement says
Policy should specify and should be
- Goals, Responsibility, Committment to security
- Top Down
To find the current state of security, a company must perform
Investigation of the system, environment, and vulnerabilities who is responsible
Performing a risk analysis can be a
With planning this is, what needs to be done
direct the implementation of requirements
"Only campus machines should be authenticated into the library system" is a ____ & "Not all faculty are on site" is a ____
requirement & constraint
Remove or reduce a vulnerability
"graduating students leave unattended e-mail accounts" is a ____ & "match student enrollment with email accounts each semester" is a _____
Requirements specify ___ should be accomplished not ___
Hire programmers(is an art) telling them what you want is good but when you tell them how to do it they will make a horrible program
software developers dilemma
Requirements must have (7)
- Correctness( and understandability)
correlation between requirment and the function/data related to it
Responsibility for implementation
People who have the responsibility for implementation include:
users, project leaders, managers, database admin, informaiton officers H/R(best friend)
Phased development? Order of implementation? What if things change?
need _____ for change not just "we are agile"
periodic reviews, changes in software/hardware, discovered vulnerabilities
planning- continual attention
need to change policy to account for new technology
needs to be an active, living document
computer hardware group, system administrators, system programmers, application programmers, data entry personnel, physical security personnel, representative users
planning- team members
someone who cares and has the power to make changes work
All of these must come together for IA to really work - Commitment
- Constant Training
In case of a catastrophy we need to have a
long duration issues, fall back plans, redunancy, death of a principal
Need these for a good one
Assess business impact
Develop a startegy(policy)
Develop a plan(procedures)
Try it out!!!!!!!
procedures for dealing with a secuiry incident
incident response plans
what is an incident
who should take charge
what actions should be taken
Advance planning is key
people: director, lead technician, advisors
incident response plans need
considerations of an incident response plan
what controls need t be changed, did the incident reponse plan work?
after an incident
University of Utah
- not perfect but good
- pretty, business bingo, BAD
- Very Good Policy