INMT 441 QUESTIONS AND ANSWERS FULLY SOLVED

INMT 441 QUESTIONS AND ANSWERS FULLY SOLVED Defining ISP ISP- subset of it policy that specifies the reequipments of information security or cyber security. ISP concepts procedures- specific actions taken to address a situation rules- specific statements of what are allowed and/or disallowed standards- specific performance expectations guidelines- non-mandatory recommendations the employee may use a s a reference. Major types of ISP within a business - enterprise wide policies -systems specific policies - issue- specific policies (security issues may cross multiple systems) EISP high level isp that sets the strategic direction, scope, and tone for an organization. who leads an EISP directed by the chief information security officer System-Specific Information Security Policy (SISP) organizational policy that functions as standards or procedures to be used when configuring or maintaining a specific information system. SISP can be - seperated into managerial guidance and technical specifications; or -combined in a single unified SISP docuement ISSP- issue specific security policy is an organizational policy that provides detailed, targeted, guidance to instruct all members of the organization in the use of a resource. purpose of ISSP - to establish a common understanding of the purposes for which an employee can and cannot use the resource. steps to creating the ISP -determine which information assets to protect from which threats - determine access needs to system parts -identify resources to protect assets -develop written security policy -commit sources General requirements of ISP -policy should never conflict with law -must be able to stand up in court -policy must be properly supported and and administered Guidelines for an effective ISP -developed accepted industry practices -distributed using all appropriate methods -read by all employees -understood -formally agreed to -uniformly applied and enforced agreement by act occurs when the employee performs an action which requires them to acknowledge understanding of the policy prior to the use of a technology or resource employee refuses to respond to policy - may be grounds for termination -seta programs Violations of ISP - Ignorance -Accident -Intent PCIDSS Payment card industry data security standard is a set of industry standards mandated for any organization that handles cards. SETA Security Education Training Awareness purpose of the SETA reduce intentional or accidental security breaches by members of the organization Pros of SETA - improves employees cybersecurity behavior - informs employees where to report violations of ISP * design an implementation of SETA 1. identify problem, scope, goals, objective 2. identify target audience ify training methods 4. motivate management and employees 5. administer the program, deliver training 6. maintain the program 7. evaluate program Delivery of training methods for seta 1. one on one 2. formal class 3. computer based training 4. distance learning user support groups 5. on job training 6. self study Gamification using game based mechanics for training Phishing Fraudulent emails - emails -websites -messages Business continuity (BC) plan is a set of policies, tools and procedures, or plan,to enable an organization to continue the delivery of goods and/or services at pre-defined acceptable levels following a disruptive event. Disaster recovery (DR) plan is a set of policies, tools and procedures to enablethe recovery or continuation of vital technology infrastructure and systemsfollowing a natural or human-induced disaster. Incident response (IR) plan is a set of policies, tools and procedures to dictatean organization's reactions to a cybersecurity incident. Crisis Management CM) plan is a set of policies, tools and procedures by which an organization deals with a disruptive and unexpected event thatthreatens the organization or its stakeholders.