Infosec Chapt. 11 questions and
answers rated A+
"To move the InfoSec discipline forward, organizations should take the following steps:" - ANS
✔"• The general management community of interest should learn more about the require-
ments and qualifications for both InfoSec positions and relevant IT positions.
• Upper management should learn more about InfoSec budgetary and personnel needs.
• The IT and general management communities of interest should grant the InfoSecfunction—in
particular, the chief information security officer (CISO)—an appropriate level of influence and
prestige."
"When hiring InfoSec professionals at all levels, organizations frequently look for individuals
who:" - ANS ✔"• Understand how organizations are structured and operated
• Recognize that InfoSec is a management task that cannot be handled with technology alone
• Work well with people in general, including users, and have strong written and
verbalcommunication skills
• Acknowledge the role of policy in guiding security efforts
• Understand the essential role of InfoSec education and training, which helps makeusers part
of the solution rather than part of the problem
• Perceive the threats facing an organization, understand how these threats can
becometransformed into attacks, and safeguard the organization from InfoSec attacks
• Understand how technical controls (including firewalls, intrusion detection systems[IDSs], and
anti-virus software) can be applied to solve specific InfoSec problems
• Demonstrate familiarity with the mainstream information technologies, including themost
popular and newest Windows, Linux, and UNIX operating systems
• Understand IT and InfoSec terminology and concepts"
,"chief information officer (CIO): " - ANS ✔"An executive-level position that oversees the
organization'scomputing technology and strives to create efficiency in the processing and access
of theorganization's information."
"security technician: - ANS ✔A technically qualified individual who may configure firewalls and
IDPSs,implement security software, diagnose and troubleshoot problems, and coordinate with
systemsand network administrators to ensure that security technical controls are properly
implemented.Also known as a security admin."
"As you learned in Chapter 5, Schwartz et al. classify InfoSec positions into one of three areas:" -
ANS ✔"those that define, those that build, and those that administer:"
"the people whooperate and [administer] the security tools" - ANS ✔"the security monitoring
function, andthe people who continuously improve the processes. This is where all the day-to-
day, hard work is done. "
"Definers provide the " - ANS ✔"policies, guidelines, and standards.... They're the peoplewho do
the consulting and the risk assessment, who develop the product andtechnical architectures.
These are senior people with a lot of broad knowledge,but often not a lot of depth. "
"the chief information security officer (CISO) is often considered the " - ANS ✔"top
InfoSecofficer in the organization. He or she frequently reports to the chief information
officer(CIO), unless the organization employs a chief security officer (CSO) who oversees both
physical and InfoSec areas. "
"builders." - ANS ✔"They're the real techies, who create and install security solutions"
"CISOs are business managers first and technologists second, they must be" - ANS ✔"conversant
in all areas of InfoSec, including technology, planning, andpolicy. They are expected to draft or
approve a range of InfoSec policies. They also workwith their CIOs and other executive
managers on strategic planning, they develop tacticalplans, and they work with security
managers on operational planning.
,Finally, they developInfoSec budgets based on available funding, and they make decisions or
recommendationsabout purchasing, project and technology implementation, and the
recruiting, hiring, andfiring of security staff. Ultimately, the CISO is the spokesperson for the
security team and isresponsible for the overall InfoSec program."
" most common qualifications for theCISO include " - ANS ✔"working as a security manager as
well as experience in planning, policy, andbudgets. The most common certifications include the
Certified Information Systems SecurityProfessional (CISSP) and the Certified Information
Security Manager (CISM)"
"Responsibilities and Duties:" - ANS ✔"The Information Security Department Manager is
responsible forenvisioning and taking steps to implement the controls needed to protect both
Company Xinformation as well as information that has been entrusted to Company X by third
parties.The position involves overall Company X responsibility for InfoSec regardless of the form
thatthe information takes (paper, blueprint, CD-ROM, audio tape, embedded in products or pro-
cesses, etc.), the information handling technology employed (portable computers,
wirelessdevices, smart phones, fax machines, telephones, local area networks, file cabinets,
etc.), or thepeople involved (contractors, consultants, employees, vendors, outsourcing firms,
etc.)."
"Threats to information and information systems addressed by the Information
SecurityDepartment Manager and his or her staff include, but are not limited to: " - ANS
✔"information unavailability, information corruption, unauthorized information destruction,
unautho-rized information modification, unauthorized information usage, and unauthorized
infor-mation disclosure. These threats to information and information systems
includeconsideration of physical security matters only if a certain level of physical security is
nec-essary to achieve a certain level of InfoSec [for example, as is necessary to prevent theft
ofportable computers]"
Responsibilities & Duties (continued) - ANS ✔"• Acts as the central point of contact within
Company X when it comes to all communica-tions dealing with InfoSec, including vulnerabilities,
controls, technologies, human factorsissues, and management issues"
, "• Establishes and maintains strong working relationships with the Company X groups involved
with InfoSec matters (Legal Department, Internal Audit Department, PhysicalSecurity
Department, Information Technology Department, Information Security Man-agement
Committee, etc.) [Note that the Information Security Department Manager is,in most cases, the
chairperson of the Information Security Management Committee.]"
"• Establishes, manages, and maintains organizational structures and communications chan-nels
with those responsible for InfoSec; these responsible parties include individuals withinCompany
X departments (such as Local Information Security Coordinators) as well asCompany X business
partners (outsourcing firms, consulting firms, suppliers, etc.)"
"• Assists with the clarification of individual InfoSec responsibility and accountability so
thatnecessary InfoSec activities are performed as needed, according to pre-established proce-
dures, policies, and standards"
"• Coordinates the InfoSec efforts of all internal groups, to ensure that organization-wideInfoSec
efforts are consistent across the organization, and that duplication of effort isminimized [The
Physical Security Department Manager does the same duty, but only forphysical security
efforts.]"
"• Coordinates all multi-application or multisystem InfoSec improvement projects at Com-pany
X [A good example would be converting all operating system access control systemsto enforce a
standard minimum password length.]"
"• Represents Company X and its InfoSec-related interests at industry standards
committeemeetings, professional association meetings, In
"Wood's Information Security Roles and Responsibilities Made Easy, Version 3 defines
anddescribes the CISO position, which he calls the information security department manager,
asfollows:" - ANS ✔"Job Title: Information Security Department Manager [Also known as
Information SecurityManager, Information Systems Security Officer (ISSO), Chief Information
answers rated A+
"To move the InfoSec discipline forward, organizations should take the following steps:" - ANS
✔"• The general management community of interest should learn more about the require-
ments and qualifications for both InfoSec positions and relevant IT positions.
• Upper management should learn more about InfoSec budgetary and personnel needs.
• The IT and general management communities of interest should grant the InfoSecfunction—in
particular, the chief information security officer (CISO)—an appropriate level of influence and
prestige."
"When hiring InfoSec professionals at all levels, organizations frequently look for individuals
who:" - ANS ✔"• Understand how organizations are structured and operated
• Recognize that InfoSec is a management task that cannot be handled with technology alone
• Work well with people in general, including users, and have strong written and
verbalcommunication skills
• Acknowledge the role of policy in guiding security efforts
• Understand the essential role of InfoSec education and training, which helps makeusers part
of the solution rather than part of the problem
• Perceive the threats facing an organization, understand how these threats can
becometransformed into attacks, and safeguard the organization from InfoSec attacks
• Understand how technical controls (including firewalls, intrusion detection systems[IDSs], and
anti-virus software) can be applied to solve specific InfoSec problems
• Demonstrate familiarity with the mainstream information technologies, including themost
popular and newest Windows, Linux, and UNIX operating systems
• Understand IT and InfoSec terminology and concepts"
,"chief information officer (CIO): " - ANS ✔"An executive-level position that oversees the
organization'scomputing technology and strives to create efficiency in the processing and access
of theorganization's information."
"security technician: - ANS ✔A technically qualified individual who may configure firewalls and
IDPSs,implement security software, diagnose and troubleshoot problems, and coordinate with
systemsand network administrators to ensure that security technical controls are properly
implemented.Also known as a security admin."
"As you learned in Chapter 5, Schwartz et al. classify InfoSec positions into one of three areas:" -
ANS ✔"those that define, those that build, and those that administer:"
"the people whooperate and [administer] the security tools" - ANS ✔"the security monitoring
function, andthe people who continuously improve the processes. This is where all the day-to-
day, hard work is done. "
"Definers provide the " - ANS ✔"policies, guidelines, and standards.... They're the peoplewho do
the consulting and the risk assessment, who develop the product andtechnical architectures.
These are senior people with a lot of broad knowledge,but often not a lot of depth. "
"the chief information security officer (CISO) is often considered the " - ANS ✔"top
InfoSecofficer in the organization. He or she frequently reports to the chief information
officer(CIO), unless the organization employs a chief security officer (CSO) who oversees both
physical and InfoSec areas. "
"builders." - ANS ✔"They're the real techies, who create and install security solutions"
"CISOs are business managers first and technologists second, they must be" - ANS ✔"conversant
in all areas of InfoSec, including technology, planning, andpolicy. They are expected to draft or
approve a range of InfoSec policies. They also workwith their CIOs and other executive
managers on strategic planning, they develop tacticalplans, and they work with security
managers on operational planning.
,Finally, they developInfoSec budgets based on available funding, and they make decisions or
recommendationsabout purchasing, project and technology implementation, and the
recruiting, hiring, andfiring of security staff. Ultimately, the CISO is the spokesperson for the
security team and isresponsible for the overall InfoSec program."
" most common qualifications for theCISO include " - ANS ✔"working as a security manager as
well as experience in planning, policy, andbudgets. The most common certifications include the
Certified Information Systems SecurityProfessional (CISSP) and the Certified Information
Security Manager (CISM)"
"Responsibilities and Duties:" - ANS ✔"The Information Security Department Manager is
responsible forenvisioning and taking steps to implement the controls needed to protect both
Company Xinformation as well as information that has been entrusted to Company X by third
parties.The position involves overall Company X responsibility for InfoSec regardless of the form
thatthe information takes (paper, blueprint, CD-ROM, audio tape, embedded in products or pro-
cesses, etc.), the information handling technology employed (portable computers,
wirelessdevices, smart phones, fax machines, telephones, local area networks, file cabinets,
etc.), or thepeople involved (contractors, consultants, employees, vendors, outsourcing firms,
etc.)."
"Threats to information and information systems addressed by the Information
SecurityDepartment Manager and his or her staff include, but are not limited to: " - ANS
✔"information unavailability, information corruption, unauthorized information destruction,
unautho-rized information modification, unauthorized information usage, and unauthorized
infor-mation disclosure. These threats to information and information systems
includeconsideration of physical security matters only if a certain level of physical security is
nec-essary to achieve a certain level of InfoSec [for example, as is necessary to prevent theft
ofportable computers]"
Responsibilities & Duties (continued) - ANS ✔"• Acts as the central point of contact within
Company X when it comes to all communica-tions dealing with InfoSec, including vulnerabilities,
controls, technologies, human factorsissues, and management issues"
, "• Establishes and maintains strong working relationships with the Company X groups involved
with InfoSec matters (Legal Department, Internal Audit Department, PhysicalSecurity
Department, Information Technology Department, Information Security Man-agement
Committee, etc.) [Note that the Information Security Department Manager is,in most cases, the
chairperson of the Information Security Management Committee.]"
"• Establishes, manages, and maintains organizational structures and communications chan-nels
with those responsible for InfoSec; these responsible parties include individuals withinCompany
X departments (such as Local Information Security Coordinators) as well asCompany X business
partners (outsourcing firms, consulting firms, suppliers, etc.)"
"• Assists with the clarification of individual InfoSec responsibility and accountability so
thatnecessary InfoSec activities are performed as needed, according to pre-established proce-
dures, policies, and standards"
"• Coordinates the InfoSec efforts of all internal groups, to ensure that organization-wideInfoSec
efforts are consistent across the organization, and that duplication of effort isminimized [The
Physical Security Department Manager does the same duty, but only forphysical security
efforts.]"
"• Coordinates all multi-application or multisystem InfoSec improvement projects at Com-pany
X [A good example would be converting all operating system access control systemsto enforce a
standard minimum password length.]"
"• Represents Company X and its InfoSec-related interests at industry standards
committeemeetings, professional association meetings, In
"Wood's Information Security Roles and Responsibilities Made Easy, Version 3 defines
anddescribes the CISO position, which he calls the information security department manager,
asfollows:" - ANS ✔"Job Title: Information Security Department Manager [Also known as
Information SecurityManager, Information Systems Security Officer (ISSO), Chief Information
