Deck 10: Implementing Information Security

When an estimate is flawed, as when the number of effort-hours required is underestimated, the plan should be corrected and downstream tasks updated to reflect the change.

"Unfreezing" in the Lewin change model involves thawing hard-and-fast habits and established procedures.

The first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables.

In general, the design phase is accomplished by changing the configuration and operation of the organization's information systems to make them more secure.

The networks layer of the bull's eye is the outermost ring of the bull's eye.

The project plan as a whole must describe how to acquire and implement the needed security controls and create a setting in which those controls achieve the desired outcomes.

The budgets of public organizations are usually the product of legislation or public meetings.

The work breakdown structure (WBS) can only be prepared with a complex, specialized desktop PC application.

Planning for the implementation phase of a security project requires the creation of a detailed project plan.

The primary drawback to the direct changeover approach is that if the new system fails or needs modification, users may be without services while the system's bugs are worked out.

Every organization needs to develop an information security department or program of its own.

Weak management support, with overly delegated responsibility and no champion, sentences a project to almost-certain failure.

Planners need to estimate the effort required to complete each task, subtask, or action step in the project plan.

The effective use of a DMZ is one of the primary methods of securing an organization's networks.

The need for qualified, trained, and available personnel constrains the project plan.

All organizations should designate a champion from the general management community of interest to supervise the implementation of an information security project plan.

The bull's-eye model can be used to evaluate the sequence of steps taken to integrate parts of the information security blueprint into a project plan.

Each for-profit organization determines its capital budget and the rules for managing capital spending and expenses the same way.

The size of the organization and the normal conduct of business may preclude a large training program on new security procedures or technologies.

An ideal organization fosters resilience to change. _________________________

The primary drawback to the direct changeover approach is that if the new system fails or needs modification, users may be without services while the system's bugs are worked out. _________________________

A direct changeover is also known as going "fast turnkey." _________________________

Planning for the implementation phase requires the creation of a detailed request for proposal, which is often assigned either to a project manager or the project champion. _________________________

The optimal time frame for training is usually one to three weeks before the new policies and technologies come online. _________________________

A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _________________________

Performance management is the process of identifying and controlling the resources applied to a project as well as measuring progress and adjusting the process as progress is made toward the goal. _________________________

The parallel operations strategy works well when an isolated group can serve as a test area, which prevents any problems with the new system dramatically interfering with the performance of the organization as a whole. _________________________

The RFP determines the impact that a specific technology or approach can have on the organization's information assets and what it may cost. _________________________

A proven method for prioritizing a program of complex change is the bull's-eye method. _________________________

In the early stages of planning, the project planner should attempt to specify dates only for major employees within the project. _________________________

Corrective action decisions are usually expressed in terms of trade-offs. _________________________

Most information security projects require a trained project developer. _________________________

Once a project is underway, it is managed using a process known as gap analysis, which ensures that progress is measured periodically. _________________________

In project planning, the tasks or action steps that come before the specific task at hand are commonly referred to as prerequisites. _________________________

____________________ is a phenomenon in which the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project forecasts than accomplishing meaningful project work.

During the implementation phase, the organization translates its blueprint for information security into a project ____________________.

A(n) _____________________ is a completed document or program module that can either serve as the beginning point for a later task or become an element in the finished project.

A(n) ____________________ is a specific point in the project plan when a task that has a noticeable impact on the plan's progress is complete.

Management should coordinate the organization's information security vision and objectives with the communities of ____________________ involved in the execution of the plan.

Regardless of an organization's information security needs, the amount of effort that can be expended depends on the available funds; therefore, a ____________________ is typically prepared in the analysis phase of the SecSDLC and must be reviewed and verified prior to the development of the project plan.

The tasks or action steps that come before the specific task at hand are called ____________________.

The project planner should describe the skills or personnel needed for a task, often referred to as a(n) ____________________.

In systems development, JAD (____________________ development) means getting key representatives of user groups to serve as members of the development process.

Project ____________________ is a description of a project's features, capabilities, functions, and quality level, and is used as the basis of a project plan.

A(n) ____________________ implementation is the most common conversion strategy and involves a measured rollout of the planned system with a part of the system being brought out and disseminated across an organization before the next piece is implemented.

Once a project is underway, it is managed to using a process known as a negative ____________________ loop.

The ____________________ operations strategy involves running the new system concurrently with the old system.

At the center of the bull's-eye model are the ____________________ used by the organization to accomplish its work.

What minimum attributes for project tasks does the WBS document

What are the major steps in executing the project plan

A direct ____________________ involves stopping the old system and starting the new one without any overlap.

Medium- and large-sized organizations deal with the impact of technical change on the organization's operation through a(n) ____________________ control process.

What can the organization do by managing the process of change

One of the oldest models of change is the Lewin change model, which consists of three stages: unfreezing, ____________________, and refreezing.

The level of resistance to ____________________ impacts the ease with which an organization is able to implement procedural and managerial changes.

Tasks or action steps that come after the task at hand are called ____________________.

Technology _____________________ is a complex process that organizations use to manage the impact and costs of technology implementation, innovation, and obsolescence.