E-Business Security Exam (212-25)

The test covers the security technique fundamentals involved in minimizing e-Business security risks. This emphasis concepts such as securing Web clients, servers, and communications. It covers the use of firewalls and digital certificates, and legal issues including how to respond when security has been breached.

Test Objectives v2

Module 1: Introduction to Information Security

• Understand what information security is and how it came to mean what it does today.
• Comprehend the history of computer security and how it evolved into information security.
• Understand the key terms and critical concepts of information security as presented in the chapter.
• Outline the phases of the security systems development life cycle.
• Understand the role professionals involved in information security in an organizational structure.

Module 2: The Need for Security  

• Understand the business need for information security.
• Understand a successful information security program is the responsibility of an organization’s general management and IT management.
• Understand the threats posed to information security and the more common attacks associated with those threats.
• Differentiate threats to information systems from attacks against information systems.

Module 3: Legal, Ethical & Professional Issues in Information Security

• Use this chapter as a guide for future reference on laws, regulations, and professional organizations.
• Differentiate between laws and ethics.
• Identify major national laws that relate to the practice of information security.
• Understand the role of culture as it applies to ethics in information security.

Module 4: Risk Management: Identifying and Assessing Risk

• Define risk management and its role in the SecSDLC
• Understand how risk is identified
• Assess risk based on the likelihood of occurrence and impact on an organization
• Grasp the fundamental aspects of documenting risk identification and assessment

Module 5: Risk Management: Assessing and Controlling Risk

• Recognize why risk control is needed in today’s organizations
• Know the risk mitigation strategy options for controlling risks
• Identify the categories that can be used to classify controls
• Be aware of the conceptual frameworks that exist for evaluating risk controls, and be able to formulate a cost benefit analysis when required
• Understand how to maintain and perpetuate risk controls

Module 6: Blueprint for Security

• Understand management’s responsibilities and role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines
• Understand the differences between the organization’s general information security policy and the requirements and objectives of the various issue-specific and system-specific policies.
• Know what an information security blueprint is and what its major components are.
• Understand how an organization institutionalizes its policies, standards, and practices using education, training, and awareness programs.
• Become familiar with what viable information security architecture is, what it includes, and how it is used.

Module 7: Planning for Continuity

• Know what contingency planning is and how incident response planning, disaster recovery planning, and business continuity plans are related to contingency planning.
• Understand the elements that comprise a business impact analysis and the information that is collected for the attack profile.
• Recognize the components of an incident response plan.

Module 8: Security Technology

• Define and identify the various types of firewalls.
• Discuss the approaches to firewall implementation.
• Discuss the approaches to dial-up access and protection.
• Identify and describe the two categories of intrusion detection systems.
• Discuss the two strategies behind intrusion detection systems.

Module 9: Physical Security

• Understand the conceptual need for physical security.
• Identify threats to information security that are unique to physical security.
• Describe the key physical security considerations for selecting a facility site.
• Identify physical security monitoring components.
• Grasp the essential elements of access control within the scope of facilities management.
• Understand the criticality of fire safety programs to all physical security programs.

Module 10: Implementing Security

• Understand how the organization’s security blueprint becomes a project plan.
• Understand the numerous organizational considerations that must be addressed by the project plan.
• Grasp the significant role and importance of the project manager in the success of an information security project.
• Understand the need for professional project management for complex projects.
• Take in the technical strategies and models for implementing the project plan.
• Grasp the nontechnical problems that organizations face in times of rapid change.

Module 11: Information Security Maintenance

• Understand the need for the ongoing maintenance of the information security program.
• Become familiar with recommended security management models.
• Understand a model for a full maintenance program. 
• Understand key factors for monitoring the external and internal environment.
• Learn how planning and risk assessment tie into information security maintenance.
• Understand how vulnerability assessment and remediation tie into information security maintenance.
• Learn how to build readiness and review procedures into information security maintenance.

Module 12: Security and Personnel

• Understand where and how the information security function is positioned within organizations.
• Understand the issues and concerns about staffing the information security function.
• Know about the credentials that professionals in the information security field can acquire.
• Recognize how an organization’s employment policies and practices can support the information security effort.
• Understand the special security precautions necessary for nonemployees.
• Recognize the need for the separation of duties.
• Understand the special requirements needed for the privacy of personnel data.