Is411 Study Guide
Study Guide IS 411
Security Policies and Implementation Issues
A perfect policy will not prevent all threats. Key to determining if a business will implement any policy is cost. Policies support the risk assessment to reduce the cost by providing controls and procedures to manage the risk. A good policy includes support for incident handling. Pg 15
Policy may add complexity to a job but that is not important. Unmanageable complexity refers to how complex and realistic the project is. The ability of the organization to support the security policies will be an important topic. Pg 105
Who should review changes to a business process?
Policy change control board, minimally you should include people from information security, compliance, audit, HR, leadership from other business units, and Project Managers (PMs). Pg 172
-------------------------------------------------
Policy – a document that states how the organization is to perform and conduct business functions and transactions with a desired outcome. Policy is based on a business requirement (such as legal or organizational)
-------------------------------------------------
-------------------------------------------------
Standard – an established and proven norm or method, which can be a procedural standard or a technical standard implemented organization-wide
-------------------------------------------------
-------------------------------------------------
Procedure – a written statement describing the steps required to implement a process. Procedures are technical steps taken to achieve policy goals (how-to document)
-------------------------------------------------
-------------------------------------------------
Guideline – a parameter within which a policy, standard, or procedure is suggested but optional pg 11-13
Resiliency is a term used in IT to indicate how quickly the IT infrastructure can recover. Pg 279. The Recovery Time Objective (RTO) is the
Security Policies and Implementation Issues
A perfect policy will not prevent all threats. Key to determining if a business will implement any policy is cost. Policies support the risk assessment to reduce the cost by providing controls and procedures to manage the risk. A good policy includes support for incident handling. Pg 15
Policy may add complexity to a job but that is not important. Unmanageable complexity refers to how complex and realistic the project is. The ability of the organization to support the security policies will be an important topic. Pg 105
Who should review changes to a business process?
Policy change control board, minimally you should include people from information security, compliance, audit, HR, leadership from other business units, and Project Managers (PMs). Pg 172
-------------------------------------------------
Policy – a document that states how the organization is to perform and conduct business functions and transactions with a desired outcome. Policy is based on a business requirement (such as legal or organizational)
-------------------------------------------------
-------------------------------------------------
Standard – an established and proven norm or method, which can be a procedural standard or a technical standard implemented organization-wide
-------------------------------------------------
-------------------------------------------------
Procedure – a written statement describing the steps required to implement a process. Procedures are technical steps taken to achieve policy goals (how-to document)
-------------------------------------------------
-------------------------------------------------
Guideline – a parameter within which a policy, standard, or procedure is suggested but optional pg 11-13
Resiliency is a term used in IT to indicate how quickly the IT infrastructure can recover. Pg 279. The Recovery Time Objective (RTO) is the