Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

1.How granular should information security policies get? For example, should the

ID: 3661898 • Letter: 1

Question

1.How granular should information security policies get? For example, should they get down to the level of specifying required operating system configuration settings?


2.A struggle for information security professionals is how far the testing of security controls should go to verify the financial statements are accurate. For example, should you test remote access to the network? Those controls you would think would be far removed from the actual financial data as an attacker would need to break through various layers of controls until they gained access to a financial application. If an external auditor told you they had to test network controls for SOX, what might be a counter-argument you would give them to say that is overkill?

Explanation / Answer

1.These days,Information policies seem to be very detailed covering vrious aspects like the objectives to secure the system and further more.The problem is they are very detailed and most of them go waste as no one takes seriously since they are too long to read.The information policies should be to the point and define the objectives withing a short number of pages.In order to make their size appropriate ISO 27001 standard defines the various levels of security policies:

a)High lever poilicies which include Information security management system policy(ISMS)This basically includes the objectives to secure the syste along with the various requirements that are required to achieve the objectives.It also includes the risk evaluation criteria and the strategu involved for risk management.These policies should be to the point and short(maximum of 1 or 2 pages) because the main purpose is to control the ISMS.

b)Detailed policies:This basically describes a particular area of security in detail with the precise responsibilities.These basically meant for the operational use or studying a particular aspect of security in depth.Examples are access control policy defining the access rights to a system and the password policy to make sure confidentiality of data.Clear screen policy is also present here.Since these policies prescribe more details in depth they are meant to be a maximum of about 10 pages since they include indepth details.If they were much longer than that, it would be very difficult to implement and maintain them.The main purpose is again to be to the point and help in achieving the main objectives about a particular area like for example network security can include data inspecttion of all packets to and fro from the system,analysis of the system in detail to check transactions,checking data flow,checking softwares everything so it requires a lot of detail everything to be written in short manner to be able to implemented .

2.If i had to test the network controls for SOX,I will make sure I test the hardware and the network links with the server computer. But at the same time checking each and every data flow may be very costly and time consuming.Only the most importand data should be checked .For example there might some customers who might have retired or resigned and still the data flow might be getting monitored with the server of the company.This is of no use as there is no data data flow between them .As a result applying securing all controls for the entire network can be a waste and result in an overkill as a lot of money will be wasted,Morever the security controls being applied to one part might change the data in the other as a resuly the attacker may never be detected and continue to do fraud.The best technique to analyse the data flow between various important workstations and servers and also whether latest softwares are installed in their computers or not.This will not result in an overkill and help in ensuring security in the best possible way. For example.

Tripwire Enterprise's comprehensive solution:

-> It addresses the Acquire and Implement (AI) and Delivery and Support (DS) guidelines of COBIT with out-of-the-box change audit reporting and a library of COBIT configurations.

-> It usually compares system configurations to “gold systems,” and reports and remediates configuration items that might differ or vary from the given gold standard.

-> It identifies authorized and unauthorized changes or suspicious event activity over a period of time and lets the auditor know which changes are occuring at what time to make sure malicious activity can be detected.

Related Questions

1.Given the following information, answer questions using the Stock to Sales Rat
Question #2500833
1.Given the following mole fraction and vapor pressures for miscible liquids A a
Question #1062182
1.Given the following standard reduction potentials, Ag^+(aq) + e^- --> Ag(s) Eo
Question #783402
1.Given the polynomial, list each zero and the corresponding multiplicity. f(x)
Question #3032962
1.Given the substrate,Select the choice for the most likely substitution mechani
Question #503559
1.Given the variables temperature and humidity, write an expression that evaluat
Question #3751002
1.Given three int variables that have been declared and given values , areaCode,
Question #3542642
1.Given two relation schema with referential integrity constraints as follows, S
Question #3825574

Navigate

Previous
1.How does uncertainty affect the overall logistical performance cycle? Provide
Next
1.How has the systems approach influenced current management techniques? 2.What

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.