Steganography is a technique for concealing the existence of messages or information. An increasingly important steganographical technique is digital watermarking, which hides data within data, e.g., by encoding rights information in a picture or music file without altering the picture or music's perceivable aesthetic qualities. Digitalized signatures are not related to digital rights management. Hashing creates a message hash or digest, which is used to ensure the integrity of the message; it is usually considered a part of cryptography. Parsing is the process of splitting up a continuous stream of characters for analytical purposes, and is widely applied in the design of programming languages or in data entry editing.

Explanation/Reference:
Explanation:
Parallel runs are the safest-though the most expensive-approach, because both the old and new systems are run, thus incurring what might appear to be double costs. Direct cutover is actually quite risky, since it does not provide for a 'shake down period' nor does it provide an easy fallback option. Both a pilot study and a phased approach are performed incrementally, making rollback procedures difficult to execute.

Section: Governance and Management of IT
Explanation/Reference:
The security officer would be the best person to oversee the development of such policies.
Security officers and their teams have typically been charged with the responsibility of creating the security
policies. The policies must be written and communicated appropriately to ensure that they can be
understood by the end users. Policies that are poorly written, or written at too high of an education level
(common industry practice is to focus the content for general users at the sixth- to eighth-grade reading
level), will not be understood.
Implementing security policies and the items that support them shows due care by the company and its
management staff. Informing employees of what is expected of them and the consequences of
noncompliance can come down to a liability issue.
While security officers may be responsible for the development of the security policies, the effort should be
collaborative to ensure that the business issues are addressed.
The security officers will get better corporate support by including other areas in policy development. This
helps build buy-in by these areas as they take on a greater ownership of the final product. Consider
including areas such as HR, legal, compliance, various IT areas and specific business area representatives
who represent critical business units.
When policies are developed solely within the IT department and then distributed without business input,
they are likely to miss important business considerations. Once policy documents have been created, the
basis for ensuring compliance is established. Depending on the organization, additional documentation
may be necessary to support policy. This support may come in the form of additional controls described in
standards, baselines, or procedures to help personnel with compliance. An important step after
documentation is to make the most current version of the documents readily accessible to those who are
expected to follow them. Many organizations place the documents on their intranets or in shared file folders
to facilitate their accessibility. Such placement of these documents plus checklists, forms, and sample
documents can make awareness more effective.
For your exam you should know the information below:
End User - The end user is responsible for protecting information assets on a daily basis through
adherence to the security policies that have been communicated.
Executive Management/Senior Management -Executive management maintains the overall responsibility
for protection of the information assets. The business operations are dependent upon information being
available, accurate, and protected from individuals without a need to know.
Security Officer - The security officer directs, coordinates, plans, and organizes information security
activities throughout the organization. The security officer works with many different individuals, such as
executive management, management of the business units, technical staff, business partners, auditors,
and third parties such as vendors. The security officer and his or her team are responsible for the design,
implementation, management, and review of the organization's security policies, standards, procedures,
baselines, and guidelines.
Information Systems Security Professional-Drafting of security policies, standards and supporting
guidelines, procedures, and baselines is coordinated through these individuals. Guidance is provided for
technical security issues, and emerging threats are considered for the adoption of new policies. Activities
such as interpretation of government regulations and industry trends and analysis of vendor solutions to
include in the security architecture that advances the security of the organization are performed in this role.
Data/Information/Business/System Owners - A business executive or manager is typically responsible for
an information asset. These are the individuals that assign the appropriate classification to information
assets. They ensure that the business information is protected with appropriate controls. Periodically, the
information asset owners need to review the classification and access rights associated with information
assets. The owners, or their delegates, may be required to approve access to the information. Owners also
need to determine the criticality, sensitivity, retention, backups, and safeguards for the information. Owners
or their delegates are responsible for understanding the risks that exist with regards to the information that
they control.
Data/Information Custodian/Steward - A data custodian is an individual or function that takes care of the
information on behalf of the owner. These individuals ensure that the information is available to the end
users and is backed up to enable recovery in the event of data loss or corruption. Information may be
stored in files, databases, or systems whose technical infrastructure must be managed, by systems
administrators. This group administers access rights to the information assets.
Information Systems Auditor-IT auditors determine whether users, owners, custodians, systems, and
networks are in compliance with the security policies, procedures, standards, baselines, designs,
architectures, management direction, and other requirements placed on systems. The auditors provide
independent assurance to the management on the appropriateness of the security controls. The auditor
examines the information systems and determines whether they are designed, configured, implemented,
operated, and managed in a way ensuring that the organizational objectives are being achieved. The
auditors provide top company management with an independent view of the controls and their
effectiveness.
Business Continuity Planner -Business continuity planners develop contingency plans to prepare for any
occurrence that could have the ability to impact the company's objectives negatively. Threats may include
earthquakes, tornadoes, hurricanes, blackouts, changes in the economic/political climate, terrorist
activities, fire, or other major actions potentially causing significant harm. The business continuity planner
ensures that business processes can continue through the disaster and coordinates those activities with
the business areas and information technology personnel responsible for disaster recovery.
Information Systems/ Technology Professionals-These personnel are responsible for designing security
controls into information systems, testing the controls, and implementing the systems in production
environments through agreed upon operating policies and procedures. The information systems
professionals work with the business owners and the security professionals to ensure that the designed
solution provides security controls commensurate with the acceptable criticality, sensitivity, and availability
requirements of the application.
Security Administrator - A security administrator manages the user access request process and ensures
that privileges are provided to those individuals who have been authorized for access by application/
system/data owners. This individual has elevated privileges and creates and deletes accounts and access
permissions. The security administrator also terminates access privileges when individuals leave their jobs
or transfer between company divisions. The security administrator maintains records of access request
approvals and produces reports of access rights for the auditor during testing in an access controls audit to
demonstrate compliance with the policies.
Network/Systems Administrator - A systems administrator (sysadmin
/netadmin) configures network and server hardware and the
operating systems to ensure that the information can be available and accessible. The administrator
maintains the computing infrastructure using tools and utilities such as patch management and software
distribution mechanisms to install updates and test patches on organization computers. The administrator
tests and implements system upgrades to ensure the continued reliability of the servers and network
devices. The administrator provides vulnerability management through either commercial off the shelf
(COTS) and/or non-COTS solutions to test the computing environment and mitigate vulnerabilities
appropriately.
Physical Security - The individuals assigned to the physical security role establish relationships with
external law enforcement, such as the local police agencies, state police, or the Federal Bureau of
Investigation (FBI) to assist in investigations. Physical security personnel manage the installation,
maintenance, and ongoing operation of the closed circuit television (CCTV) surveillance systems, burglar
alarm systems, and card reader access control systems. Guards are placed where necessary as a
deterrent to unauthorized access and to provide safety for the company employees. Physical security
personnel interface with systems security, human resources, facilities, and legal and business areas to
ensure that the practices are integrated.
Security Analyst - The security analyst role works at a higher, more strategic level than the previously
described roles and helps develop policies, standards, and guidelines, as well as set various baselines.
Whereas the previous roles are "in the weeds" and focus on pieces and parts of the security program, a
security analyst helps define the security program elements and follows through to ensure the elements are
being carried out and practiced properly. This person works more at a design level than at an
implementation level.
Administrative Assistants/Secretaries - This role can be very important to information security; in many
companies of smaller size, this may be the individual who greets visitors, signs packages in and out,
recognizes individuals who desire to enter the offices, and serves as the phone screener for executives.
These individuals may be subject to social engineering attacks, whereby the potential intruder attempts to
solicit confidential information that may be used for a subsequent attack. Social engineers prey on the
goodwill of the helpful individual to gain entry. A properly trained assistant will minimize the risk of divulging
useful company information or of providing unauthorized entry.
Help Desk Administrator - As the name implies, the help desk is there to field questions from users that
report system problems. Problems may include poor response time, potential virus infections, unauthorized
access, inability to access system resources, or questions on the use of a program. The help desk is also
often where the first indications of security issues and incidents will be seen. A help desk individual would
contact the computer security incident response team (CIRT) when a situation meets the criteria developed
by the team. The help desk resets passwords, resynchronizes/reinitializes tokens and smart cards, and
resolves other problems with access control.
Supervisor - The supervisor role, also called user manager, is ultimately responsible for all user activity and
any assets created and owned by these users. For example, suppose Kathy is the supervisor of ten
employees. Her responsibilities would include ensuring that these employees understand their
responsibilities with respect to security; making sure the employees' account information is up-to-date; and
informing the security administrator when an employee is fired, suspended, or transferred. Any change that
pertains to an employee's role within the company usually affects what access rights they should and
should not have, so the user manager must inform the security administrator of these changes
immediately.
Change Control Analyst Since the only thing that is constant is change, someone must make sure changes
happen securely. The change control analyst is responsible for approving or rejecting requests to make
changes to the network, systems, or software. This role must make certain that the change will not
introduce any vulnerabilities, that it has been properly tested, and that it is properly rolled out. The change
control analyst needs to understand how various changes can affect security, interoperability, performance,
and productivity. Or, a company can choose to just roll out the change and see what happens.
The following answers are incorrect:
Systems Administrator - A systems administrator (sysadmin/ netadmin) configures network and server
hardware and the operating systems to ensure that the information can be available and accessible. The
administrator maintains the computing infrastructure using tools and utilities such as patch management
and software distribution mechanisms to install updates and test patches on organization computers. The
administrator tests and implements system upgrades to ensure the continued reliability of the servers and
network devices. The administrator provides vulnerability management through either commercial off the
shelf (COTS) and/or non-COTS solutions to test the computing environment and mitigate vulnerabilities
appropriately.
End User - The end user is responsible for protecting information assets on a daily basis through
adherence to the security policies that have been communicated.
Security Administrator - A security administrator manages the user access request process and ensures
that privileges are provided to those individuals who have been authorized for access by application/
system/data owners. This individual has elevated privileges and creates and deletes accounts and access
permissions. The security administrator also terminates access privileges when individuals leave their jobs
or transfer between company divisions. The security administrator maintains records of access request
approvals and produces reports of access rights for the auditor during testing in an access controls audit to
demonstrate compliance with the policies.
Following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 109
Harris, Shun (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 108). McGraw-Hill. Kindle
Edition.