Security Management Practices Quiz 1
Due diligence
The extent to which a reasonable person will endeavor under specific circumstances to avoid harming other people or property
What are two principles that align with Promote Responsible Security Behavior?
1. Act in a professional and ethical manner: Ensure information/cyber security-related activities are performed in a reliable, responsible and effective manner 2. Foster a security-positive culture: Provide a positive security influence on the behavior of end users, reduce the likelihood of security incidents occurring, and limit their potential business impact
What are the four principles that align with Defend the Business?
1. Adopt a risk-based approach: Ensure risks are treated in a consistent and effective manner 2. Protect classified information: Prevent classified information (e.g., confidential or sensitive) being disclosed to unauthorized individual. 3. Concentrate on critical business applications: Prioritize scarce information/cyber security resources by protecting the business applications where a security incident would have the greatest business impact 4. Develop systems securely: Build quality, cost-effective systems upon which business people can rely (e.g., that are consistently robust, accurate and reliable)
What are the six principles that align with Support the Business?
1. Focus on the Business: Ensures information/cyber security is integrated into essential business activities 2. Deliver quality and value to stakeholders: Ensure information/cyber security delivers value and meets business requirements 3. Comply with relevant legal and regulatory requirements: Ensure statutory obligations are met, stakeholder expectations are managed and civil or criminal penalties are avoided 4. Provide timely and accurate information on security performance: Support business requirements and manage information risks 5. Evaluate current and future information threats: Analyze and assess emerging information/cyber security threats so that informed, timely action to mitigate risks can be taken 6. Promote continuous improvement in information/cyber security: Reduce costs, improve efficiency and effectiveness and promote a culture of continuous improvement in information/cyber security
What the Seven Fair Information Practices are as identified in this course?
1. Notice 2. Choice (Consent) 3. Access 4. Security 5. Enforcement 6. Minimalization 7. Limited Use
What is the definition of a Principle?
1.An accepted or professed rule of action or conduct: a person of good moral principles. 2.A fundamental, primary, or general law or truth from which others are derived: the principles of modern physics. 3.Fundamental doctrine or tenet; a distinctive ruling opinion: the principles of the Stoics.
What are Security Technical Implementation Guides and why are they important? (Cont.)
94% of unauthorized data access is through compromised servers • •95% of breaches are attributed to known and fixable vulnerabilities • •Know your assets and how they're configured • •System hardening is meant to reduce or eliminate the above exposures
Segregation/Separation of Duties
A basic internal control that prevents or detects errors and irregularities by assigning to separate individuals the responsibility for initiating and recording transactions and for the custody of assets.
Cyberspace
A global domain within the information environment consisting of the interdependent network of information systems infrastructures including the internet, telecommunications networks, computer systems, and embedded processors and controllers.
What is a Non-Disclosure Agreement?
A non-disclosure agreement, or "NDA," creates a confidential relationship between a person or business that has confidential or trade secret information and a person that has access to that information. The NDA agreement protects these business secrets by limiting the way they can be used or disclosed.
Toxic Combinations
A situation where a user has a combination of entitlements/access on the system (or combination of systems), that gives them the ability to perform tasks that should never be controlled by a single user.
Non-repudiation
Ability to prove the occurrence of a claimed event or action and its originating entities
What state's data security law is the first to implement a GDPR-like law?
California
What is Data Remanence and what is the problem?
Data Remanence: Residual information remaining on storage media
What is the difference between data and information?
Data is raw, unorganized facts that need to be processed. Data can be something simple and seemingly random and useless until it is organized. When data is processed, organized, structured or presented in a given context so as to make it useful, it is called information.
What are the responsibilities of a CISO?
Develop security strategy, oversee security program and initiatives, liaise with business unit managers and process owners for ongoing alignment.
Information Security
Ensures that within the enterprise, information is protected against disclosure to unauthorized users (confidentiality), improper modification (integrity), and non-access when required (availability).
Ethics
Ethics is defined as the study of morality
Can an employee be terminated for downloading and operating a gambling web site within an organization's DMZ? Elaborate why or why not.
It Depends The key difference between policy and law is that ignorance of policy is a viable defense, therefore policies must be: •Distributed to all individuals who are expected to comply with them •Readily available for employee reference •Easily understood, with multilingual translations and translations for visually impaired or low-literacy employees •Acknowledged by the employee •Uniformly enforced for all employees
Can I take software that I produced at one organization to another? Elaborate why or why not.
It depends; •Employer/Employee relationship: All rights of copyright ownership vest with (i.e. owned by) the employer. •The employee (actual author of the work for hire) does not have a right to terminate copyright ownership rights of the employer. •Independent contractor: copyright ownership is owned by the contractor unless the contract state's otherwise •Advisable to put an assignment language in the contract
How many A's can any RACI tasks have?
Just 1
At what layer in the Open System Interconnect (OSI) Module does data become information?
Layer 7 - Application Layer
What are the five principles are identified in the "Guiding Principles for Cyber Risk Governance: Principles for Directors in Overseeing Cybersecurity" document?
Principle 1: Directors should view cybersecurity as an important element of enterprise risk that they must oversee: identifying the company's essential assets that may be vulnerable to cyber attack, which cyber risks to avoid, accepts, or mitigate, and to develop specific plans associated with each approach
What are the five principles are identified in the "Guiding Principles for Cyber Risk Governance: Principles for Directors in Overseeing Cybersecurity" document? (Cont.)
Principle 2: Directors should view cybersecurity as a strategic and managerial issue and should therefore hold management accountable for recommending and implementing the overall cyber risk management strategy and polices •Management should be accountable for reporting their actions and cyber breaches •Where appropriate, the board should require key executives to attest that certain important aspects of the cybersecurity plan have been executed •Promoting employee awareness and training is crucial •Third-party testing of cyber vulnerabilities can provide a high degree of deterrence •Boards should maintain an external team of professionals that are available for training and in crisis situation
What are the five principles are identified in the "Guiding Principles for Cyber Risk Governance: Principles for Directors in Overseeing Cybersecurity" document? (Cont.)
Principle 3: Directors should be guided by two broad concepts of cybersecurity: ensuring that it is managed within "three lines of defense" and based on reacting and adapting to gathering intelligence and the changing risk environment
What are the five principles are identified in the "Guiding Principles for Cyber Risk Governance: Principles for Directors in Overseeing Cybersecurity" document? (Cont.)
Principle 4: Directors should understand the company's exposure to third-party vendors
What are the five principles are identified in the "Guiding Principles for Cyber Risk Governance: Principles for Directors in Overseeing Cybersecurity" document? (Cont.)
Principle 5: Directors should commit to developing the corporate culture that places a high value on cybersecurity •With management, directors should define appropriate behavior for cybersecurity and then demonstrate clearly the importance the organization places upon strict adherence •Directors need to understand the legal and regulatory implications of cyber risks as they relate to their company's specific circumstances including their fiduciary duties and the overarching legal terrain
Accountability
Principle that an individual is entrusted to safeguard and control equipment, keying material, and information and is answerable to proper authority for the loss or misuse of that equipment or information.
Integrity
Property of accuracy and completeness
Availability
Property of being accessible and usable upon demand by an authorized entity
Reliability
Property of consistent intended behavior and results
Authenticity
Property that an entity is what it is claims to be
Confidentiality
Property that information is not made available or disclosed to unauthorized individuals, entities, or processes
What does RACI stand for and define element?
R= Responsibility: The individual(s) who actually completes the task, the doer. Responsibility can be shared. The degree of responsibility is determined by the individual with the "A" A= Accountability: The person who is ultimately responsible. Only one "A" can be assigned to a task C= Consult: The individual(s) to be consulted prior to a final decision or action. This incorporates two way communication I= Inform: The individual(s) who needs to be informed after a decision or action is taken, This is one way communication
Information Governance
Specification of decision rights and an accountability framework ensuring appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.
What are the six outcomes of an effective Information Security Governance program?
Strategic alignment •Aligning security activities with business strategy supporting organizational objectives Risk management •Executing appropriate measures managing risks and potential impacts to an acceptable level Business process assurance/convergence •Integrating all relevant assurance processes maximizing the effectiveness and efficiency of security activities Value delivery •Optimizing investments supporting business objectives Resource management •Using organizational resources efficiently and effectively Performance measurement •Monitoring and reporting on security processes ensuring that business objectives are achieved
Define Operational, Tactical and Strategic Planning Process
Strategic: •Long-term (3-5 year) direction considers organizational goals, regulation (and for IT: technical advances) •Another view: Anything greater than 1 year in duration Tactical: 1-year plan moves organization to strategic goal Operational: Detailed or technical plans, at most 3 to 6 months outlook
What Collin College document outlines Student's code of ethics?
Student Handbook
What are the Key Terms according Gartner in regards to Information Governance?
The Key Terms •Accountability framework for information •Processes, roles, standards, metrics •Effective, efficient use of information to achieve goals
Governance
The act of manner of governing, of exercising control or authority over the actions of subjects; a system of regulations.
What is the difference between Policy and Law?
The key difference between policy and law is that ignorance of policy is a viable defense, therefore policies must be: •Distributed to all individuals who are expected to comply with them •Readily available for employee reference •Easily understood, with multilingual translations and translations for visually impaired or low-literacy employees •Acknowledged by the employee •Uniformly enforced for all employees
Cyber Security
The protection of information assets by addressing threats to information processed, stored, and transported by internetworked information systems.
Due Care
The steps taken to ensure that assets and employees of an organization have been secured and protected and that upper management has properly evaluated and assumed all unmitigated or transferred risks. due diligence
Is Information Security the same as Privacy? Elaborate why or why not.
They are related but different. they do have a common interest of protection of personal information.
What is Payment Card Industry (PCI)?
a. A set of requirements designed to ensure that ALL organizations that store, process, or transmit cardholder data do so in a secure environment b. An industry regulation.
Why is Security Configuration Management important?
§Change happens! §Once a secure configuration is implemented, subsequent changes must be controlled §In the absence of SCM, an asset that is securely configured today will most likely not be secure within a short period of time §SCM ensures configuration changes are controlled (approved, analyzed, tested)
What is Security Configuration Management?
§Security configuration management (SCM) is the management and control of configurations for an information system with the goal of enabling security and managing risk. §SCM does require an ongoing investment in time and resources §SCM is a continuous, ongoing activity that touches all stages of the system development life cycle §SCM should be incorporated into any existing organizational configuration management program
Why is Security Configuration Management important? (Cont.)
§Without SCM, unauthorized, unanalyzed, and untested changes will render systems, networks, and organizations vulnerable to a wide range of threats §In addition, SCM: §Facilitates asset management §Improves incident response, help desk, disaster recovery, and problem solving §Aids in software development and release management §Enables process automation §Supports compliance with policies and preparation for audits §SCM is vital to the establishment and maintenance of security of information and information systems
What are Center for Internet Security Benchmarks and why are they important? (Cont.)
•94% of unauthorized data access is through compromised servers • •95% of breaches are attributed to known and fixable vulnerabilities • •Know your assets and how they're configured • •System hardening is meant to reduce or eliminate the above exposures
What two things occur if one does not have sound Configuration Management process and procedures in place and positively acted upon?
•A system or capability that does not have sound Configuration Management process and procedures in place and positively acted upon has little to no Assurance that established secure baseline configuration(s) are properly implemented and/or maintained throughout the system's or capability's lifecycle • •The Security posture of a system or capability cannot be determined without sound Configuration Management process and procedures in place and positively acted upon • •The Security posture of a system or capability cannot be maintained without sound Configuration Management process and procedures in place and positively acted upon
What are Executive Management responsibilities in regards to information security governance?
•Actively engaging in strategic decision making •Provide input on the organization's overall level of risk appetite for loss of intellectual property, disclosure of customer information, and disruption of business operations •Must engage with cybersecurity managers to help prioritize information assets and make specific trade-offs between risk reduction and operational impact •Driving consideration of cybersecurity implications across business functions •Ensure business managers incorporate cybersecurity considerations into product, customer, and location decisions, while functional leaders are responsible for addressing cybersecurity considerations in human-resources and procurement decisions •Pushing for changes in user behavior •Change and model their own behavior for the next level of managers •Ensuring effective governance and reporting is in place •Make sure that policies and controls make sense from a business standpoint •Put in place effective, granular reporting on how the company is progressing against specific milestones in its cybersecurity program
What are the 8 listed benefits of a good Information Security Governance Program?
•Aligning Security with Business Objectives •Providing the Structure and Framework to Optimize Allocations of Limited Resources •Providing Assurance that Critical Decisions are Not Based on Faulty Information •Ensuring Accountability for Safeguarding Critical Assets •Increasing Trust of Customers and Stakeholders •Increasing the Company's Worth •Reducing Liability for Information Inaccuracy or Lack of Due Care in Protection •Increasing Predictability and Reducing Uncertainty of Business Operations
When should a Privacy Impact Assessment/Analysis be accomplished?
•Any new program, service, capability or process •Any update/upgrade/change to an existing program, service, capability or process
What are Center for Internet Security Benchmarks and why are they important?
•Are best practices for the secure configuration of a target system • •Are available for more than 150 technologies • •Developed through a unique consensus-based process comprised of cybersecurity professionals and subject matter experts around the world • •Are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia
What are Security Technical Implementation Guides and why are they important?
•Are the configuration standards for Department if Defense (DoD) Information Assurance (IA) and IA-enabled devices/systems • •Play a critical role enhancing the security posture of DoD's security systems • •Contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack
What two CIS Top 20 controls deal with Asset Management and what is the order of importance in the CIS Top 20?
•CSC 1: Inventory of Authorized and Unauthorized Devices • •CSC 2: Inventory of Authorized and Unauthorized Software
What are some of the failures of not implementing an effective Information Security Governance Program?
•Continued chaotic, increasingly expensive, and marginally effective firefighting mode of operation • •Continued deployment of Tactical point solutions • •Continued fragmentation of "assurance-" and security-related stovepipes • •Continued haphazard security resources allocations that are unrelated to risks and impacts as well as to cost-effectiveness
Breaches of data privacy, data security can result in what?
•Damage to reputation •Disruption of operations •Legal liability under new and amended laws, regulations, and guidelines, as well as under contracts •Financial costs •Loss of customer confidence •Loss of established or emerging business relationships
What are some of the steps one can take to align the Information Security organization within the company's overall structure? (Cont.)
•Define and document the scope of your security program: •Cross-‐functional responsibilities •Localization (regional/geographic areas) •Recognition of information security functions outside of the designated information security team (if appropriate), such as through virtual or matrixes relationships, or ad hoc situations •Identify the employees or third-‐parties assigned to information security functions •Internal resource (full-‐time staff, part-‐time staff, dedicated, or matrix) •Third-‐party/outsourced resources •Identify and document the financial resources/budget allocated to security functions •Identify actions necessary to secure funding to address extraordinary security needs
What are some of the steps one can take to align the Information Security organization within the company's overall structure? (Cont.)
•Define the accountability/relationship of staff outside of the information security group that perform functions directly or indirectly related to information security (RACI) •Document the mechanisms used to align security program strategy with Organizational or (Especially) Business strategy •Define and document the methods used to manage performance and continual improvement of operations •Identify how risk decisions are made in relation to information security especially in coordination/collaboration with other Enterprise Risk Decisions (Reputational, Operational, Financial, and Legal [ROFL]) (added)
What are the 4 primary functions Professional Codes?
•Designed to motivate members of an association to behave in certain ways •Have Four primary functions, to: •Inspire •Guide •Educate •Discipline the members
What are some of the best practices in regards to data security and privacy audit according to the Privacy presentation? (Cont.)
•Destroy what you can •Shred, burn, pulverize paper records •Use wipe utility programs on computers, portable storage devices •Make shredders easily accessible •Plan ahead •Develop contingency plans for a security breach •Designate senior staff to coordinate response •Investigate right away •Take steps to eliminate vulnerabilities •Be aware of data breach statutes
What is the best method for preventing an illegal or unethical activity?
•Deterrence - the best method for preventing an illegal or unethical activity •Laws, policies, and technical controls are all examples of deterrents
What are the five identified National Associate of Corporate Directors (NACD) Cyber Risk Oversight Principles?
•Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue •Directors should understand the legal implications of cyber risk as they relate to their company's specific circumstances •Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas •Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget •Board-management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach
What are some of the best practices in regards to addressing a data breach according to the Privacy presentation?
•Do not panic or overreact •Get facts: nature, scope of breach •Determine whether, when to notify affected individuals •Prevent further unauthorized access •Preserve evidence, deal with law enforcement (your "friend"?) •Notify vendors (such as payment processors) •Notify insurers •Offer contact person •Do not forget to alert those "on the front lines"
What are some of the steps one can take to align the Information Security organization within the company's overall structure? (Cont.)
•Document the level at which risk decisions are known, understood and accepted by the executive management of the organization •Define how information security considerations and controls are integrated into emerging projects/initiatives, both internal and external to the Enterprise •Define and document the key stakeholders: Legal, Audit, etc. and the methods used to strengthen relationships with these areas •Identify how organizational culture and maturity (added) drives the execution of security operations
According Shawn Tuma's, "Reasonable Cybersecurity Guidelines" video, an organizations that care about cybersecurity can?
•Ensure legitimate efforts are made combating identified risks
What are some of the steps one can take to align the Information Security organization within the company's overall structure?
•Formalize a common definition of security and risk governance in your organization •Define and implement an information security and risk governance function that is integrated with the organization's corporate and IT governance functions •Focus on the governance processes and functions, rather than on the organizational position of the activities •Establish a consistent channel of communication within your organization to speak on how the security program contributes to the organization's mission •Attempt to create an effective program regardless of where you sit in the organization
List the five core components of an effective information system security program?
•Governance and Organization •Information Security Strategy •Information Security Framework •Information Security Risk Management •Measurement and Metrics
What are some of the steps one can take to align the Information Security organization within the company's overall structure? (Cont.)
•If you are not placed in the proper organization structure, what should you do? Strategies: •Find your champions by gaining allies in your organization •Build cross-‐functional relationships outside of IT •Show your value •Identify security advocates outside of your reporting structure to help you promote information security across the organization and gain consensus •Define how information security risk should be tracked, presented, and communicated •Tailor the information security program (where appropriate) with different business units by understanding their unique risks and processes
According Shawn Tuma's, "What is Reasonable Security" video, an organization must implement appropriate?
•Implement appropriate policies, procedures, tools, strategies
Failure of not Implementing an Effective Information Security Governance Program (Continued)
•Incidents, breaches and losses continuously grows •Regulatory compliance becoming more costly •Senior management responsible; legally liable for failing the requirements of due care and diligence •Customers demand greater care and, failing to get it, will vote with their feet •The correlation between security, customer satisfaction, and business success is become increasingly obvious and reflected in share value
According to the text what are the key differences between Information Security and IT Security?
•Information Technology (IT) is by definition technology centric •IT security is by definition the security related to the technology •Security fundamentally means safety, or the absence of danger •Information security is an assurance function providing a level of assurance of the safety of IT or information •The safety of an organization's information assets typically goes a considerable distance beyond the purview of IT
According Shawn Tuma's, "What is Reasonable Security" video, who defines what is reasonable for an organization?
•Is defined by your organization
What are some of the best practices in regards to data security and privacy audit according to the Privacy presentation? (Cont.)
•Keep it safe •Train employees about safe practices •Implement •Firewalls •Strong passwords •Antivirus software •Use extra caution with laptops, cell phones, ipads •Lock desks, drawers •Limit access to sensitive files •Secure data shipped or stored offsite
Morality
•Morality can be defined as: A system of rules for guiding human conduct, and principles for evaluating those rules •Two points are worth noting in this definition: •Morality is a system •It is a system comprised of moral rules and principles
What are the Board of Directors responsibilities in regards to information security governance?
•Place information security on the board's agenda •Identify information security leaders, hold them accountable and ensure support for them •Ensure the effectiveness of the corporation's information security policy through review and approval •Assign information security to a key committee
Strategic Planning
•Process of defining an organization's strategy, or direction, and making decisions on allocating its resources to pursue this strategy •Deals, on the whole business, rather than just an isolated unit •Looks at 3 to 5 years, although some extend their vision to 20 years (long term) •Asks at least one of following three key questions: •"What do we do?" •"For whom do we do it?" •"How do we excel?" •Deal with significant uncertainties •Addresses "strategic risks"
Operational Planning
•Process of linking strategic goals and objectives to tactical goals and objectives •Generally 3 to 6 months in duration at most •Describes milestones, conditions for success and explains how, or what portion of, a strategic plan will be put into operation during a given operational period. •Addresses four questions: •Where are we now •Where do we want to be •How do we get there •How do we measure our progress •Addresses operational risks
What are the benefits in having a Security Steering Committee?
•Provides a number of benefits: •A forum for identifying and prioritizing current and emerging risks •An invaluable channel for gathering organizational intelligence •An avenue for disseminating important security-related information
What is the purpose of a RACI?
•RACI process is to answer the following questions •What functions, activities, and tasks must be performed •Who must perform them and what is their level of involvement • •Highly participative process ensuring ownership of the responsibilities • •It is designed to identify functional areas, key activities and provides management with decision points where ambiguities exist. • •It enables management to actively participate in the process of systematically describing: •Activities •Decisions to be accomplished •Clarity of responsibilities
What steps should one go through if faced with an Ethical dilemma?
•Recognize a moral issue •Get the facts •Evaluate the alternative actions from various moral perspectives •Make a decision •Act •Reflect on the results of the decision afterwards
What are some of the steps one can take to align the Information Security organization within the company's overall structure? (Cont.)
•Regularly benchmark with peer and non-‐peer companies to identify any potential gaps, and to reassure organizational management that reasonable diligence is occurring •Consider creating an overall objective or mission statement that is closely aligned with organizational imperatives and is understood/approved by key stakeholders •Continuously adapt the mission statement to the organizational direction, and align the information security program with it
What are some of the best practices in regards to data security and privacy audit according to the Privacy presentation? (Cont.)
•Review contracts with vendors that collect or provide PII to company •Review potential insurance coverage •Conduct annual reviews of •Data security •Data privacy •Risk management programs •Develop contingency plans
What are some of the best practices in regards to data security and privacy audit according to the Privacy presentation?
•Review, assess policies and practices for data •Collection •Storage •Use •Disclosure •Protection •Destruction •Identify exposure to data privacy, data security risks •Consider, implement changes to minimize risks •Develop, adopt best practices going forward
Tactical Planning
•Short range planning emphasizing current operations of various parts of the organization •Generally defined as a period of time extending about one year or less in the future •Outlines what various parts of the organization must do for the organization to be successful at some point one year or less into the future •Deals with moderate uncertainties that lie closer to the control of management than strategic ones •Addresses "tactical risks"
What is a charter outline according to the text?
•Should have a charter outlining specific responsibilities, scope, and structure
According Shawn Tuma's, "What is Reasonable Security" video, what is the first step in identifying what risks an organization faces?
•Starts with a risk assessment, identifying what risks an organization faces
What are some of the best practices in regards to data security and privacy audit according to the Privacy presentation? (Cont.)
•Take stock •What information do you have? •Where is it stored? •Who has access to it? •Who should have access to it? •Scale down •Collect only what you need •Keep it only as long as you need it •Don't use Social Security numbers unnecessarily •Restrict access
What are two takeaways as information value decrease over time?
•The Information Technology management cost remains constant, with a widening gap as costs exceed value over time • e-discovery risk increases as information ages and context is lost, creating an even larger gap as value declines and risk increases
Information Technology Security
Is the process of implementing measures and systems designed to securely protect and safeguard information (business and person data, voice conversations, still images, motion pictures, multimedia presentations, including those not yet conceived) utilizing various forms of technology developed to create, store, use and exchange such information against any unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, thereby preserving the value, confidentiality, integrity, availability, intended use and its ability to perform their permitted critical functions.
List the different Organizational Structures where a CISO may be placed and describe the pros and cons of each? (Cont.)
Information Security as Part of the Risk Management/Compliance/Privacy functionExecutive Sponsor: General Counsel or Chief Risk/Privacy Officer •Visibility within the organization for information security issues -‐ Medium •Customers -‐ Primarily external to IT •Organization perception of information security risks -‐ Focused toward organizational risk management goals •Objectives for the information security program -‐ Focused on compliance •Authority for the information security program leader -‐ Generally recognized across the organization
List the different Organizational Structures where a CISO may be placed and describe the pros and cons of each? (Cont.)
Information Security as a Strategic Business Driver Executive Sponsor: CEO or Board Chairman •Visibility within the organization for information security issues -‐ High •Customers -‐ Primarily external to IT •Organization perception of information security risks -‐ Significant to organizational objectives •Objectives for the information security program -‐ Critical factor toward achieving a competitive advantage for the business •Authority for the information security program leader -‐ Recognized broadly across the organization as a significant component in the success of the organization
List the different Organizational Structures where a CISO may be placed and describe the pros and cons of each? (Cont.)
Information Security as part of the Converged Security function Executive Sponsor: COO, CFO •Visibility within the organization for information security issues -‐ Medium •Customers -‐ Primarily external to IT •Organization perception of information security risks -‐ On par with physical security issues •Objectives for the information security program -‐ Focused on meeting specific business needs •Authority for the information security program leader -‐ Potentially recognized broadly across the organization
What are the different stages of information within its lifecycle?
Generate; Process; Update; Re-Use; Store; Delete
What is (define) Information Technology Asset Management (ITAM)?
IT Asset Management (ITAM) is defined as the set of business practices that join financial, contractual and inventory functions to support lifecycle management and strategic decision making for the IT environment in support of the organization's overall business objectives.
List the different Organizational Structures where a CISO may be placed and describe the pros and cons of each?
Information Security as Part of the IT functionExecutive Sponsor: CIO •Visibility within the organization for information security issues -‐ Low (as information security will generally be seen as a subcomponent of broader IT issues) •Customers -‐ Primarily internal to IT with limited external customers •Organization perception of information security risks -‐ IT-‐centric concerns •Objectives for the information security program -‐ Primarily focused on compliance and tactical/operations-‐oriented objectives •Authority for the information security program leader -‐ Primarily recognized specific to individual business units
What is a written Information security program plan and what state breach law requires this?
Written document that outlines/describes your Information Security Program Massachusetts Statute
Do all states and District of Colombia now have data security laws?
Yes, as of 2018 all states now have a data security law on their books
Is there a process to analyze effects of Privacy in Information Systems' Programs? If so, what is such a process called?
Yes; Privacy Impact Assessment/Analysis
