Review Questions
1. How can a security framework assist in the design and implementation of a security infrastructure? What is information security governance? Who in the organization should plan for it?
2. Where can a security administrator find information on established security frameworks?
3. What is the ISO 27000 series of standards? Which individual standards make up the series?
4. What are the inherent problems with ISO 17799, and why hasn't the United States adopted it? What are the recommended alternatives?
5. What documents are available from the NIST Computer Resource Center, and how can they support the development of a security framework?
6. What benefit can a private, for-profit agency derive from best practices designed for federal agencies?
7. What Web resources can aid an organization in developing best practices as part of a security framework?
8. Briefly describe management, operational, and technical controls, and explain when each would be applied as part of a security framework.
9. What are the differences between a policy, a standard, and a practice? What are the three types of security policies? Where would each be used? What type of policy would be needed to guide use of the Web? E-mail? Office equipment for personal use?
10. Who is ultimately responsible for managing a technology? Who is responsible for enforcing policy that affects the use of a technology?
11. What is contingency planning? How is it different from routine management planning? What are the components of contingency planning?
12. When is the IR plan used?
13. When is the DR plan used?
14. When is the BC plan used? How do you determine when to use the IR, DR, and BC plans?
15. What are the five elements of a business impact analysis?
16. What are Pipkin's three categories of incident indicators?
17. What is containment, and why is it part of the planning process?
18. What is computer forensics? When are the results of computer forensics used?
19. What is an after-action review? When is it performed? Why is it done?
20. List and describe the six continuity strategies identified in the text.