What is the chief information security officer primarily responsible for quizlet?

In a small organization, InfoSec often becomes the responsibility of a jack-of-all-trades, a single security administrator with perhaps one or two assistants for managing the technical components

• It is not uncommon in smaller organizations to have the systems or network administrators play these many roles

• Because resources are often limited in smaller organizations, the security administrator frequently turns to freeware or open source software to lower the costs of
assessing and implementing security

• In small organizations, security training and awareness is most commonly conducted on a one-on-one basis, with the security administrator providing advice to users as needed

Some feel that small organizations, to their advantage, avoid some threats precisely because of their small size

• Threats from insiders are also less likely in an environment where every employee knows every other employee

• In general, the less anonymity an employee has, the less likely he or she feels able to get away with abuse or misuse of company assets

• Smaller organizations typically have either one individual who has full-time duties in InfoSec or, more
likely, one individual who manages or conducts InfoSec duties in addition to those of other functional areas, most likely IT, possibly with one or two assistants

The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method defines the
essential components of a comprehensive, systematic,
context-driven, self-directed information security risk
evaluation

• By following the OCTAVE Method, an organization can
make information-protection decisions based on risks
to the confidentiality, integrity, and availability of critical information technology assets

• The operational or business units and the IT department work together to address the information security needs of the organization

There are three variations of the OCTAVE Method:

- The original OCTAVE method, which forms the basis for the OCTAVE body of knowledge, and
which was designed for larger organizations (300
or more users)

- OCTAVE-S, for smaller organizations of about 100 users

- OCTAVE-Allegro, a streamlined approach for information security assessment and assurance

Ignorance:Ignorance of the law is no excuse, but ignorance of policies and procedures is. The first method of deterrence is education. Organizations must design, publish, and disseminate organizational policies and relevant laws, and employees must explicitly agree to abide by them. Reminders, training, and awareness programs support retention, and one hopes, compliance.

Accident:
Individuals with authorization and privileges to manage information within the organization have the greatest opportunity to cause harm or damage by accident. The careful placement of controls can help prevent accidental modification to systems and data.

Intent:
Criminal or unethical intent refers to the state of mind of the individual committing the infraction. A legal defense can be built upon whether the accused acted out of ignorance, by accident, or with the intent to cause harm or damage. Deterring those with criminal intent is best done by means of litigation, prosecution, and technical controls. Intent is only one of several factors to consider when determining whether a computer-related crime has occurred.

Compromises to intellectual property: Software piracy or other copyright infringement

Deviations in quality of service: Fluctuations in power, data, and other services

Espionage or trespass: Unauthorized access and/or data collection

Forces of nature: Fire, flood, earthquake, lightning, etc.

Human error or failure: Accidents, employee mistakes

Information extortion: Blackmail threat of information disclosure

Sabotage or vandalism:Damage to or destruction of systems or information

Software attacks: Malware: viruses, worms, macros, etc.

Technical hardware failures or errors: Hardware equipment failure

Technical software failures or errors: Bugs, code problems, loopholes, back doors

Technological obsolescence: Antiquated or outdated technologies

Theft: Illegal confiscation of equipment or information

Terms in this set (21)

An organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system (IS). Also known as the Program Manager, they are responsible for the IS throughout SDLC, address operational interest of user community, ensures compliance with information security requirements, develops and maintains Security Plan (SSP), prepares and maintains POAMs, decides system access/privileges, and works with assessor to remediate deficiencies.

An individual, group, or organization responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls. They conduct SSP assessments, conduct control assessments, provides assessment of deficiencies, recommend corrective action, prepare Security Assessment Report (SAR), conduct an independent and unbiased assessment process, and ensure that the AO receives the most objective information possible to make a decision.

Students also viewed

What is the chief information security officer primarily responsible for?

What is the primary responsibility of the Chief Information Officer quizlet?

What is the responsibility of a CISO quizlet?

What is the role of the CISO in an organization?