New Semester
Started
Get
50% OFF
Study Help!
--h --m --s
Claim Now
Question Answers
Textbooks
Find textbooks, questions and answers
Oops, something went wrong!
Change your search query and then try again
S
Books
FREE
Study Help
Expert Questions
Accounting
General Management
Mathematics
Finance
Organizational Behaviour
Law
Physics
Operating System
Management Leadership
Sociology
Programming
Marketing
Database
Computer Network
Economics
Textbooks Solutions
Accounting
Managerial Accounting
Management Leadership
Cost Accounting
Statistics
Business Law
Corporate Finance
Finance
Economics
Auditing
Tutors
Online Tutors
Find a Tutor
Hire a Tutor
Become a Tutor
AI Tutor
AI Study Planner
NEW
Sell Books
Search
Search
Sign In
Register
study help
business
management information systems
Management of Information Security 4th Edition Michael E. Whitman, Herbert J. Mattord - Solutions
What factors are critical to the success of an InfoSec performance program?
According to Gerald Kovacich, what are the critical questions to be kept in mind when developing a measurements program?
What types of measures are used for InfoSec management measurement programs?
What is a performance measurement in the context of InfoSec management?
What are the NIST-recommended documents that support the process of baselining?
What is baselining? How does it differ from benchmarking?
When choosing recommended practices, what limitations should you keep in mind?
When selecting recommended practices, what criteria should you use?
What is the standard of due care? How does it relate to due diligence?
What is benchmarking?
What is COSO, and why is it important?
What is the common name for NIST SP 800-30? What is the document’s purpose? What resources does it provide?
What are the common names for NIST SP 800-53 and NIST SP 800-53A? What is the purpose of each document? What resources do they provide?
What is the common name for NIST SP 800-14? What is the document’s purpose? What resources does it provide?
What is the common name for NIST SP 800-12? What is the document’s purpose? What resources does it provide?
What are the two primary advantages of NIST security models?
What is COBIT? Who is its sponsor? What does it accomplish?
What are the documents in the ISO/IEC 27000 series?
What is an alternative model to the BS 7799 model (and its successors)? What does it include?
Which international InfoSec standards have evolved from the BS 7799 model? What do they include?
What is a data classification model? How is data classification different from a clearance level?
What is a mandatory access control?
Identify at least two approaches used to categorize access control methodologies. List the types of controls found in each.
What are the key principles on which access control is founded?
What are the essential processes of access control?
What is access control?
How might an InfoSec professional use a security model?
What is a security model?
What is an InfoSec blueprint?
What is an InfoSec framework?
When developing an awareness program, what priorities should you keep in mind?
List the steps in a seven-step methodology for implementing training.
What are the various delivery methods for training programs?
How does training differ from education? Which of the two is offered to a larger audience with regard to InfoSec?
Which of the SETA program’s three elements—education, training, and awareness is the organization best prepared to provide itself? Which should it consider outsourcing?
What is the purpose of a SETA program?
Describe the two overriding benefits of education, training, and awareness.
InfoSec positions can be classified into what three areas? Describe each briefly.
What are the elements of a security program, according to NIST SP 800-14?
Which two NIST documents largely determine the shape of an InfoSec program? Which other documents can assist in this effort?
What are some of the various ways to implement an awareness program?
What can influence the effectiveness of a training program?
What are the three areas of a SETA program?
What are the roles that an InfoSec professional can assume?
Into what four areas should the InfoSec functions be divided?
Where should an InfoSec unit be placed within an organization? Where shouldn’t it be placed?
What is the typical size of the security staff in a small organization? A medium sized organization? A large organization? A very large organization?
What organizational variables can influence the size and composition of an InfoSec program’s staff?
What functions constitute a complete InfoSec program?
What is an InfoSec program?
List and describe the three approaches to policy development presented in this chapter. In your opinion, which is best suited for use by a smaller organization and why? If the target organization were very much larger, which approach would be more suitable and why?
List and describe the two general groups of material included in most SysSP documents.
List and describe three common ways in which ISSP documents are created and/or managed.
What should be the first component of an ISSP when it is presented? Why? What should be the second major component? Why?
List and describe three functions that the ISSP serves in the organization.
List and describe four elements that should be present in the EISP.
To what degree should the organization’s values, mission, and objectives be integrated into the policy documents?
What is the purpose of a SysSP?
What is the purpose of an ISSP?
What is the purpose of an EISP?
List and describe the three types of InfoSec policy as described by NIST SP 800-14.
Is policy considered static or dynamic? Which factors might determine this status?
For a policy to have any effect, what must happen after it is approved by management? What are some ways to accomplish this?
In what way are policies different from procedures?
In what way are policies different from standards?
Describe the bull’s-eye model. What does it say about policy in the InfoSec program?
List and describe the three guidelines for sound policy, as stated by Bergeron and Bérubé.
List and describe the three challenges in shaping policy.
Of the controls or countermeasures used to control InfoSec risk, which is viewed as the least expensive? What are the primary costs of this type of control?
Which types of organizations might use a unified continuity plan? Which types of organizations might use the various contingency planning components as separate plans? Why?
What is a business impact analysis, and what is it used for?
What is a business continuity plan, and why is it important?
List and describe two rapid-onset disasters. List and describe one slow onset disaster.
What is a disaster recovery plan, and why is it important to the organization?
What criteria should be used when considering whether or not to involve law enforcement agencies during an incident?
What is an incident damage assessment? What is it used for?
List and describe several containment strategies given in the text. On which tasks do they focus?
What is an alert roster? What is an alert message? Describe the two ways they can be used.
List and describe the actions that should be taken during an incident response.
List and describe the IR planning steps.
List and describe the sets of procedures used to detect, contain, and resolve an incident.
List and describe the criteria used to determine whether an actual incident is occurring.
Define the term “incident” as used in the context of IRP. How is it related to the concept of incident response?
List and describe the teams that perform the planning and execution of the CP plans and processes. What is the primary role of each?
List the seven-step CP process recommended by NIST.
According to some reports, what percentage of businesses that do not have a disaster plan go out of business after a major loss?
Which two communities of interest are usually associated with contingency planning? Which community must give authority to ensure broad support for the plans?
What is the name for the broad process of planning for the unexpected? What are its primary components?
What term is used to describe the control measure that reduces security incidents among members of the organization by familiarizing them with relevant policies and practices in an ongoing manner?
What term is used to describe the provision of rules intended to protect the information assets of an organization?
What name is given to the process of assigning a comparative risk rating to each specific information asset? What are the uses of such a rating?
What questions might be asked to help identify and classify information assets? Which is the most important question to ask?
What name is given to an attack that makes use of viruses and worms? What name is given to an attack that does not actually cause damage other than wasted time and resources?
How can a vulnerability be converted into an attack?
What is the difference between a threat and an attack?
What is a threat in the context of InfoSec? What are the 12 categories of threats presented in this chapter?
What is the primary objective of the SecSDLC? What are its major steps, and what are the major objectives of each step?
How does the SecSDLC differ from the more general SDLC?
Describe top-down strategic planning. How does it differ from bottom-up strategic planning? Which is usually more effective in implementing security in a large, diverse organization?
What are the five basic outcomes that should be achieved through InfoSec governance?
Showing 6000 - 6100
of 6652
First
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
Step by Step Answers
Get 50% OFF
Claim Now
