CS9224 - INFORMATION SECURITY -UNIT IV

Subject Name: CS9224 - INFORMATION SECURITY
Unit - 4

1. What is a policy?
A policy is a plan or course of action, as of a government, political party, or business, intended to influence and determine decisions, actions, and other matters

2. What are the three types of security policies?
Management defines three types of security policy:
General or security program policy
Issue-specific security policies
Systems-specific security policies

3. What is Security Program Policy?
A security program policy (SPP) is also known as
A general security policy
IT security policy
Information security policy

4. Define Issue-Specific Security Policy (ISSP)
The ISSP:
addresses specific areas of technology
requires frequent updates
contains an issue statement on the organization's position on an issue

5. What are ACL Policies?
ACLs allow configuration to restrict access from anyone and anywhere
ACLs regulate:
Who can use the system
What authorized users can access
When authorized users can access the system
Where authorized users can access the system from
How authorized users can access the system

6. What is Information Security Blueprint?
The Security Blue Print is the basis for Design,Selection and Implementation of Security Policies,education and training programs,and technology controls.

7. Define ISO 17799/BS 7799 Standards and their drawbacks
One of the most widely referenced and often discussed security models is the Information Technology - Code of Practice for Information Security Management, which was originally published as British Standard BS 7799
This Code of Practice was adopted as an international standard by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 17799 in 2000 as a framework for information security

8. Mention the Drawbacks of ISO 17799/BS 7799
Several countries have not adopted 17799 claiming there are fundamental problems:
The global information security community has not defined any justification for a code of practice as identified in the ISO/IEC 17799
17799 lacks "the necessary measurement precision of a technical standard"
There is no reason to believe that 17799 is more useful than any other approach currently available
17799 is not as complete as other frameworks available
17799 is perceived to have been hurriedly prepared given the tremendous impact its adoption could have on industry information security controls

9. What are the objectives of ISO 17799?
Organizational Security Policy is needed to provide management direction and support
Objectives:
Operational Security Policy
Organizational Security Infrastructure
Asset Classification and Control
Personnel Security
Physical and Environmental Security
Communications and Operations Management
System Access Control
System Development and Maintenance
Business Continuity Planning
Compliance

10. What is the alternate Security Models available other than ISO 17799/BS 7799?
Another approach available is described in the many documents available from the Computer Security Resource Center of the National Institute for Standards and Technology (csrc.nist.gov) - Including:
NIST SP 800-12 - The Computer Security Handbook
NIST SP 800-14 - Generally Accepted Principles and Practices for Securing IT Systems
NIST SP 800-18 - The Guide for Developing Security Plans for IT Systems

11. Lis the management controls of NIST SP 800-26
Risk Management
Review of Security Controls
Life Cycle Maintenance
Authorization of Processing Certification and Accreditation
System Security Plan

12. Mention the Operational Controls of NIST SP 800-26
Personnel Security
Physical Security
Production, Input/Output Controls
Contingency Planning
Hardware and Systems Software
Data Integrity
Documentation
Security Awareness, Training, and Education
Incident Response Capability

13. What are the Technical Controls of NIST 800-26?
Identification and Authentication
Logical Access Controls
Audit Trails

14. What is Sphere of protection?
The "sphere of protection" overlays each of the levels of the "sphere of use" with a layer of security, protecting that layer from direct or indirect use through the next layer
The people must become a layer of security, a human firewall that protects the information from unauthorized access and use
Information security is therefore designed and implemented in three layers
policies
people (education, training, and awareness programs)
technology

15. What is Defense in Depth?
One of the foundations of security architectures is the requirement to implement security in layers
Defense in depth requires that the organization establish sufficient security controls and safeguards, so that an intruder faces multiple layers of controls

16. What is Security perimeter?
The point at which an organization's security protection ends, and the outside world begins is referred to as the security perimeter

17. What are the key technological components used for security implementation?
A firewall is a device that selectively discriminates against information flowing into or out of the organization
The DMZ (demilitarized zone) is a no-man's land, between the inside and outside networks, where some organizations place Web servers
In an effort to detect unauthorized activity within the inner network, or on individual machines, an organization may wish to implement Intrusion Detection Systems or IDS

18. What is Systems-Specific Policy (SysSP)?
SysSPs are frequently codified as standards and procedures used when configuring or maintaining systems
Systems-specific policies fall into two groups:
Access control lists (ACLs) consist of the access control lists, matrices, and capability tables governing the rights and privileges of a particular user to a particular system

19. What is the importance of blueprint?
The blueprint should specify the tasks to be accomplished and the order in which they are to be realized. It should serve as a scaleable,upgradable,and comprehensive paln for the information security needs for coming years.

20. What are the approaches of ISSP?
Three approaches:
Create a number of independent ISSP documents
Create a single comprehensive ISSP document
Create a modular ISSP document