Escolar Documentos
Profissional Documentos
Cultura Documentos
Policy: High-level, strategic document that Protect CIA of PII through encryption. Mandatory
establishes an organization’s information security
program and how it fits into larger business
objectives.
Procedure: Step-by-step guide for accomplishing a Enroll in PKI. Register company’s digital Mandatory
task. Low-level, specific. certificates with CA. Exchange public keys as
appropriate and encrypt data.
Standard: Describes specific use of technology, Triple Data Encryption Algorithm (3DES). Mandatory
often applies to hardware and software.
Baseline: Provide a starting point; a minimum for Consult Center for Internet Security baselines on Discretionary
implementing a safeguard. encryption.
Risk Management Cycle
Assets
Which protects Which are endangered by
Safeguards Threats
Risk Vulnerabilities
Which is Resulting in
Exposure
Quantitative v Qualitative
Quantitative Qualitative
• Gain leadership approval (should be an easy process if leadership is involved from the beginning)
APPROVAL
Review Quiz
1. You are a newly hired security analyst at a large hospital. The healthcare
industry is new to you and you are undergoing HIPAA training. Because you
work for a healthcare provider, what will be your main goal as a security
analyst?
A. Maintaining the confidentiality of Protected Health Information.
B. Maintaining the confidentiality of Personally Identifiable Information.
C. Maintaining the integrity of Protected Health Information.
D. Maintaining the integrity of Personally Identifiable Information.
Review Quiz
1. You are a newly hired security analyst at a large hospital. The healthcare
industry is new to you and you are undergoing HIPAA training. Because you
work for a healthcare provider, what will be your main goal as a security
analyst?
A. Maintaining the confidentiality of Protected Health Information.
B. Maintaining the confidentiality of Personally Identifiable Information.
C. Maintaining the integrity of Protected Health Information.
D. Maintaining the integrity of Personally Identifiable Information.
Answer: C, Address.
Explanation: If only a person’s name and address were unencrypted and involved with a breach, a business would not
be subject to notifying the person. Any of the other options, in unencrypted, would be subject to notifying the
individual.
Review Quiz
6. Which of the following would be the most important factor for a successful IT
security program in an organization?
A. Security policies are custom written for the organization, all employees are annually trained, and all
agree to the security policies.
B. Strong support from the Chief Information Security Officer and other senior leadership.
C. The newest Anti-Virus, Firewalls and Intrusion Prevention Systems are all installed with the latest
updates.
D. A highly skilled threat management team that proactively scans for vulnerabilities.
Review Quiz
6. Which of the following would be the most important factor for a successful IT
security program in an organization?
A. Security policies are custom written for the organization, all employees are annually trained, and all
agree to the security policies.
B. Strong support from the Chief Information Security Officer and other senior leadership.
C. The newest Anti-Virus, Firewalls and Intrusion Prevention Systems are all installed with the latest
updates.
D. A highly skilled threat management team that proactively scans for vulnerabilities.
Answer: B, Strong support from the Chief Information Security Officer and other senior leadership.
Explanation: Strong support from senior leadership is always the most critical factor to the success of any IT security
program. The other answers are great things to have, but without leadership to support the personnel, policies and
technical controls, the program won’t receive the attention and monetary backing it requires.
Review Quiz
7. Your company is purchasing a new timekeeping system. The software will
need to be installed on servers in your virtual infrastructure. What is an
example of providing due care for the new timekeeping system?
A. Perform a risk assessment on the timekeeping software prior to being implemented.
B. Have the legal department review and approve the contracts before signing.
C. Hire a third party company to perform a penetration test on the timekeeping system before the go-live.
D. Ensure the servers stay patched after the timekeeping software is installed.
Review Quiz
7. Your company is purchasing a new timekeeping system. The software will
need to be installed on servers in your virtual infrastructure. What is an
example of providing due care for the new timekeeping system?
A. Perform a risk assessment on the timekeeping software prior to being implemented.
B. Have the legal department review and approve the contracts before signing.
C. Hire a third party company to perform a penetration test on the timekeeping system before the go-live.
D. Ensure the servers stay patched after the timekeeping software is installed.
Answer: D, Ensure the servers stay patched after the timekeeping software is installed.
Explanation: Due care primarily takes place after a system has been implemented. Keeping a server patched is a good
example of due care, while a risk assessment, penetration test, and contract review are examples of due diligence.
Review Quiz
8. Which of the following represents the greatest risk during an acquisition or
merger?
A. Redundancies caused by overlapping operational positions during the merger.
B. Conflicts in security policies between the two organizations.
C. Acquired data that needs more protection than outlined in the existing security program.
D. Employees whose positions are eliminated as a result of the organizational change.
Review Quiz
8. Which of the following represents the greatest risk during an acquisition or
merger?
A. Redundancies caused by overlapping operational positions during the merger.
B. Conflicts in security policies between the two organizations.
C. Acquired data that needs more protection than outlined in the existing security program.
D. Employees whose positions are eliminated as a result of the organizational change.
Answer: D. Employees whose positions are eliminated as a result of the organizational change.
Explanation: Oftentimes, during the acquisition or merger between organizations, the revocation of former employees’
accounts is not properly managed/implemented. This increases the risk of a disgruntled employee remotely accessing
the internal system of the organization. An example of this is the Maroochy Water Services incident in 2000.