NS&S - Organization

Card Set Information

NS&S - Organization
2012-03-18 06:55:13

Chief Security Officers (CSOs),Should You Place Security within IT?, Top Management Support, Relationships with Other Departments, Outsourcing IT Security,
Show Answers:

  1. What is the manager of the security department usually called? [65]
    Chief Security Officer (CSO)
  2. What is another title for this person? [65]
    Chief information security officer (CISO)
  3. What are the advantages of placing security within IT? [65]
    • It is attractive because security and IT possess many of the same qualities and technological skills.
    • Centralizing of security and IT under the CIO. The CIO would have IT implement security and is likely to back the Security department in its effort to create a strong and safe information system for the organization.
  4. What are the disadvantages of placing security within IT? [67]
    • Security has no independence from IT and it is hard to blow the whistle on security issues occurring within the IT department or by the CIO.
    • Having security reside in the IT department creates a situation where no one is watching the watchers (who are also the implementers).
  5. What do most IT security analysts recommend about placing or not placing IT security within IT? [67]
    IT security analysts recommend placing IT security outside of the IT department.
  6. How are security roles allocated in the hybrid solution to placing IT security inside or outside of the IT department? [67]
    • In the hybrid solution of IT security:
    • - IT department is given the operational aspects, such as maintaining firewalls.
    • - Planning, policy-making, and auditing functions are placed outside of IT.
  7. Why is top management support important? [67]
    • Few efforts as pervasive as IT security succeed
    • unless top management gives strong and consistent support. The proof of top management support comes in subsequent actions.
  8. What three things must top management do to demonstrate support? [67-68]
    • Security has an adequate budget.
    • Support security when there are conflicts between the needs of security and the needs of other business functions.
    • Follow security procedures themselves.
  9. Why is the human resources department important to IT security? [68]
    • Human resources department is responsible for the hiring and training of employees in security.
    • IT Security must work with HR on hiring and terminating to ensure security issues are taken into account.
  10. Distinguish between the three main types of corporate auditing units. [68]
    • Internal auditing: examines organizational units for efficiency, effectiveness, and adequate controls.
    • Financial auditing: examines financial processes for efficiency, effectiveness, and adequate controls.
    • IT auditing: examines IT processes for efficiency, effectiveness, and adequate controls.
  11. What is the advantage of placing IT security auditing in one of these three auditing departments? [68]
    • Brings more independence to IT Security Auditing.
    • Allow IT security auditing to blow whistle on IT security department of CSO if necessary.
  12. What relationships can the IT security have to the corporation’s uniformed security staff? [68]
    • The company’s uniformed security staff will execute policies about building access. The uniformed security staff also is needed to seize computers that IT security to be involved in financial crime or abuse.
    • In the other direction, IT security can help uniformed security with surveillance cameras and the forensics analysis of equipment that may have been used to commit a crime.
  13. What can the security staff do to get along better with other departments in the firm? [69]
    To get along with other departments, Security should accompany policies with financial benefits analyses and realistic business impact statements.
  14. What are business partners? [69]
    • Include:
    • - buyer organizations
    • - customer organizations
    • - service organizations
    • - even competitors.
  15. Why are business partners dangerous? [69]
    They're oftern granted access to resources in your firm.
  16. What is due diligence? [69]
    • Investigating the IT security of external companies and the implications of close IT partnerships before
    • implementing inter-connectivity.
  17. What is an MSSP? [70]
    • Managed security service provider.
    • It is an outsourcing alternative to delegate controls.
  18. What are the two main benefits of using an MSSP? [70-71]
    • MSSP have expertise and practice based knowledge.
    • They even have complete independence from the IT security department.
  19. Why are MSSPs likely to do a better job than IT security department employees? [71]
    • MSSP will examine several hundred suspicious events each day - and will identify them.
    • Most will be false positives, some will be negligible threats (such as scanning attacks), and there will usually be a few serious threats, these will be brought to attention of client through email or pager pending on severity.
    • By distilling the flood of suspicious incidents into a handful of important eventsrequiring client action each day, MSSPs free the security staff to work onother matters.
  20. What security functions typically are outsourced? [71]
    Intrusion detection and vulnerability testing
  21. What security functions usually are not outsourced? [71]
    Policy and Planning
  22. What should a firm look for when selecting an MSSP? [71]
    • Look at the contract with the outsourcing firm and
    • see if the MSSP scans log files daily or according to contract. Look if the MSSP is sending alerts about the company’s security.