01. Enterprise Governance Flashcards
Enterprise Governance
“A process whereby senior management exerrts strategic control over business functions through policies, objectives, delegation of authority, and monitoring”
This is a definition of what fucntion
GOVERNANCE
33
Enterprise Governance
GOVERNANCE is a process whereby senior management exerts strategic control over business functions through what 4 methods
- POLICIES
- OBJECTIVES
- DELEGATION OF AUTHORITY
- MONITORING
33
Enterprise Governance
GOVERNANCE provides the management oversight of the business to ensure business processes effectively meet the organisations business ____ and ____
- VISION
- OBJECTIVES
33
Enterprise Governance
- Organisations usually establish governance through the use of what body of people
- This body of people is usually responsible for seeting what business strategy
- STEERING COMMITTEE
- LONG TERM
- Organisations usually establish governance through steering committees responsible for setting long term business strategy and making changes ot ensure that busines sprocesses continue to support business stragegy and the oragnisations overall needs
33
Enterprise Governance
“Organisations usually establish governance through steering committees responsible for setting long term business strategy and making changes ot ensure that busines sprocesses continue to support business stragegy and the oragnisations overall needs”
This is accomplished through the development and enforcement of what 4 things
- POLICIES
- STANDARDS
- PROCEDURES
- REQUIREMENTS
33
Enterprise Governance
Information security governance typically focuses on several key processes which include;
[ ] Personnel Management
[ ] Vendor hardware selection
[ ] Sourcing
[ ] Risk Management
[ ] Certicication and Training
[ ] Configuration Management
[ ] Change Management
[ ] Operating system selection
[ ] Access Management
[ ] Vulnerability Management
[ ] Team resource size
[ ] Incident Management
[ ] BCP
[X] Personnel Management
[ ] Vendor hardware selection
[X] Sourcing
[X] Risk Management
[ ] Certicication and Training
[X] Configuration Management
[X] Change Management
[ ] Operating system selection
[X] Access Management
[X] Vulnerability Management
[ ] Team resource size
[X] Incident Management
[X] BCP
33
Enterprise Governance
Information Security is a BUSINESS or STRATEGIC issue
BUSINESS
34
Enterprise Governance
The main reason typically cited for an information security business issue is what, in relation to individuals in particular roles
LACK OF UNDERSTANDING AND COMMITMENT
(board of directors and snr. exec)
34
Enterprise Governance
- Many people in a business see information security as what sort of issue
- In order to be successful, information security must be considered what sort of issue
- TECHNOLOGY ISSUE
- PEOPLE ISSUE
34
Enterprise Governance
How can a business be in a position of reduced risk in relation to people at all levels
UNDERSTAND ROLES AND RESPONSIBILITIES
- When people at each level in the organisation understand the importance and impact of information security, their own roles and responsibilities, the organisation will be in a position of reduced risk
34
Enterprise Governance
Information security governance is a set of established activities that helps management understand what 3 things in relation to the organisation
- STATE OF SECURITY PROGRAM
- CURRENT RISKS
- DIRECT ACTIVITIES
34
Enterprise Governance
A goal of the security program is to contribute towards what in relation to the wider business
SECURITY STRATEGY
34
Enterprise Governance
in order for a security governance program to succeed, what else should the business have established and in place
IT GOVERNANCE PROGRAM
34
Enterprise Governance
“The desired capabilities or end states are ideally expressed in achievable, measurable terms”
This is the defnition of what artifact or action that forms part of a healthy security governance program
OBJECTIVES
35
Enterprise Governance
“This is a plan to achieve one or more objectivies”
This is the defnition of what artifact or action that forms part of a healthy security governance program
STRATEGY
35
Enterprise Governance
“At a minimum, ____ should directly reflect the mission, objectives, and goals of the overall organisation”
This is the defnition of what artifact or action that forms part of a healthy security governance program
POLICY
35
Enterprise Governance
“These should flow directly from the organisations mission, objectives and goals. Whatever is most important to the organisation should also be essential to information security”
This is the defnition of what artifact or action that forms part of a healthy security governance program
PRIORITIES
35
Enterprise Governance
“The technologies, protocols, and practices used by IT should align with the organisations needs. On their own, ____ help drive a consistent approac to solving business challenges. A choice of these should facilitate solutions that meet the organisations needs in a cost-effective and secure manner”
This is the defnition of what artifact or action that forms part of a healthy security governance program
STANDARDS
- The choice of standards should facilitate solutions that meet the organisations needs in a cost effective and secure manner
35
Enterprise Governance
“Formalised descriptions of repeated business activities include instructions to applicable personnel. Include one or more procedures and definitions of business records and other facts that help workers understand how things are supposed to be done”
This is the defnition of what artifact or action that forms part of a healthy security governance program
PROCESSES
35
Enterprise Governance
“The are formal descriptions of critical activities to ensure desired outcomes”
This is the defnition of what artifact or action that forms part of a healthy security governance program
CONTROLS
35
Enterprise Governance
“The organisations IT and security programs and projects should be organised and performed in a consistent manner that reflects business priorities and supports the business”
This is the defnition of what artifact or action that forms part of a healthy security governance program
PROGRAM & PROJECT MANAGEMENT
35
Enterprise Governance
“____ includes the formal measurement of processes and controls so that management understands and can measure them”
This is the defnition of what artifact or action that forms part of a healthy security governance program
METRICS/REPORTING
35
Enterprise Governance
Security governance should be practiced in a business in the same way it performs governance in what 2 other areas
- IT GOVERNANCE
- CORPORATE GOVERNANCE
35
Enterprise Governance
“Management will ensure that risk assessments are performed to identify risks in information systems and supported processes. Follow up actions will bec arried out to reduce the risk of system failure and compromise”
This is a definition of which activity required to protect the organisation
RISK MANAGEMENT
36
Enterprise Governance
“Management will ensure that key changes will be made to business processes that will resul tin security improvement”
This is a definition of which activity required to protect the organisation
PROCESS IMPROVEMENT
36
Enterprise Governance
“Management will put technologies and processes in place to ensure that security events and incidents will be identified as quickly as possible”
This is a definition of which activity required to protect the organisation
EVENT IDENTIFICATION
36
Enterprise Governance
“Management will put incident response procedures into place to help avoid incidents, reduce impact and probability of incidents, and improve response to incidents to minimise their impact on the organisations”
This is a definition of which activity required to protect the organisation
INCIDENT RESPONSE
37
Enterprise Governance
“Management will identify all applicable laws, regulations, and standards and carry out activitiys to confirm that the orgnaisation can attain and maintain compliance”
This is a definition of which activity required to protect the organisation
IMPROVED COMPLIANCE
37
Enterprise Governance
“Management will define objectives and allocate resources to develop business continuity and disaster recovery plans”
This is a definition of which activity required to protect the organisation
BCP/DR PLANNING
37
Enterprise Governance
“Management will establish processes to measure key security events such as incidents, policy changes and violations, audits, and training”
This is a definition of which activity required to protect the organisation
METRICS
37
Enterprise Governance
“The allocation of workforce budget, and other resources to meet security objectives is monitored by management”
This is a definition of which activity required to protect the organisation
RESOURCE MANAGEMENT
37
Enterprise Governance
“An effective security governance program will result in better strategic descisions in the IT organisation that keep risks at an acceptably low level”
This is a definition of which activity required to protect the organisation
IMPROVED IT GOVERNANCE
37
Enterprise Governance
What are the 2 key results of having an effective security governance program in place
- INCREASED TRUST
- IMPROVED REPUTATION
- Customers, suppliers, and partners will trust the organisations to a greater degree when they see that security is managed effectively
- The business community, including custoemrs, investors, and regulators, will hold the organisation in higher regard
37
Enterprise Governance
To be business aligned, people in the security pgoram should be aware of what 5 charactersitics of the organisations;
[ ] Size and No. of Employees
[ ] Culture
[ ] Asset Value
[ ] Number of assets
[ ] Back up Objective
[ ] Risk Tolerance
[ ] Legal Obligations
[ ] Most importance client
[ ] Market Conditions
[ ] Size and No. of Employees
[X] Culture
[X] Asset Value
[ ] Number of assets
[ ] Back up Objective
[X] Risk Tolerance
[X] Legal Obligations
[ ] Most importance client
[X] Market Conditions
38
Enterprise Governance
A risk associated with an overzelous security manager who is more risk-averse than the business itself causing groups within the business to bypass corporate IT processes and procure their own solutions
SHADOW IT
38
Enterprise Governance
Goals and objectives further the organisations mission, helping it to achieve what;
[ ] Attract new customers
[ ] Have a large workforce
[ ] Increase market share
[ ] Increase revenue/profitability
[ ] Grow rapidly
[X] Attract new customers
[ ] Have a large workforce
[X] Increase market share
[X] Increase revenue/profitability
[ ] Grow rapidly
38
Enterprise Governance
What is the ISACA definition of risk appetite
“Level of risk an organisation is willing to accept while purusing its mission, strategy, and objectives before taking action to treat the risk”
39
Enterprise Governance
“the term used that describes how people within an organisation treat one another and how they get things done”
This is a definition of what
ORGANISATIONAL CULTURE
39
Enterprise Governance
The way that an organisations leaders treat each other sets what to the rest of the employees
BEHAVIORAL NORMS
39
Enterprise Governance
A culture that affects how the organisation deals with risk and how it treats risk over time
RISK CULTURE
39
Enterprise Governance
A formal policy statement that defines permitted activities and forbidden activities in an organisation
ACCEPTABLE USE POLICY
(AUP)
39
Enterprise Governance
A policy that sets to regulate the behaviour of professional sand ensure that those professionals maintain a high standard of conduct
CODE OF ETHICS
aka code of conduct
40
Enterprise Governance
The UK act and year that sets out the prohibition of individuals or organisations bribing foreign government officals
UK BRIBERY ACT 2010
40
Enterprise Governance
Laws, Regulations, Professional standards and requirements are all examples of INTERNAL or EXTERNAL governance
EXTERNAL
40
Enterprise Governance
As well as laws, regulations, professional standards and requirements, what else may be a form of external governance imposed on an organisation
CONTRACTUAL REQUIREMENTS
41
Enterprise Governance
If an organisation has a hierarchical structure in place i.e. specific departments in place to carry out roles and responsibilities, it can be said to have what sort of structure
FUNCTIONAL
41
Enterprise Governance
All different organisational structures in the business, from lower level work sections to higher level departments and divisions, have “what” in regards to cybersecurity
RESPONSIBILITIES
- Information security is everyones responsibility
42
Enterprise Governance
Information security governance is most effective when every person knows what about their role
WHAT IS EXPECTED OF THEM
- Better organisations develop formal roles and responsibilities so that personnel have a clear idea of their part in all matters related to the protection of information systems
42
Enterprise Governance
“A description of the expected activities that an employee is obligated to perform as part of their employment”
What is this a definition of in relation to organisational roles
ROLE
42
Enterprise Governance
“Roles are typically associated with this label, the label being assigned to each person that designates their place in the organisation”
What is this a definition of in relation to organisational roles
JOB TITLE
42
Enterprise Governance
“A statement of activities that a person is expected to perform”
What is this a definition of in relation to organisational roles
RESPONSIBILITIES
43
Enterprise Governance
A chart that assigns levels of responsibility to individuals and groups
RACI
43
Enterprise Governance
“The person or group that performs the actual work or task”
This is a definition of which function in a RACI chart
RESPONSIBLE
44
Enterprise Governance
“The person who is ultimately answerable for complete, accurate, and timely execution of the work”
This is a definition of which function in a RACI chart
ACCOUNTABLE
44
Enterprise Governance
“One or more people or groups enagaged with to determine their opinions, experiences, or insight”
This is a definition of which function in a RACI chart
CONSULTED
44
Enterprise Governance
“One or more people or groups spoken to by those in other roles”
This is a definition of which function in a RACI chart
INFORMED
44
Enterprise Governance
When assigning roles to individuals and groups in a RACI chart, what 3 specific aspects must be considered
[ ] Age of employee
[ ] Skills/Capabilities
[ ] Segregation of duties
[ ] Conflict of interest
[ ] Resource availability
[ ] Age of employee
[X] Skills/Capabilities
[X] Segregation of duties
[X] Conflict of interest
[ ] Resource availability
45
Enterprise Governance
A duty that baord of directors have that holds them accountable to shareholders or constituents, and to act in the organisations best interests
FIDUCIARY DUTY
45
Enterprise Governance
What are 3 reasons that a board member may be selected into the role;
[ ] Gender
[ ] Investor representation
[ ] Age
[ ] Business experience
[ ] Access to resources
[ ] Financially well off
[ ] Gender
[X] Investor representation
[ ] Age
[X] Business experience
[X] Access to resources
[ ] Financially well off
45
Enterprise Governance
The National Association of Corporate Directors (NACD) has developed 5 principles regarding the importance of information security. Marry up each of the principles in order as listed below
[ ] Boards should have adequate access to cybersecurity expertise, and discussions about cyber risk management should be given regular time on board meeting agendas
[ ] Directors should understand the legal implications of cyber risks
[ ] Board management discussions should include identification and qualification of financial exposure to cyber risks
[ ] Directros should set the expectation that management will establish an enterprise wider cyber risk management framework
[ ] Directors need to understand and approach cybersecurity as a strategic, enterprise risk, not just an IT risk
OPTIONS
Principle 1
Principle 2
Principle 3
Principle 4
Principle 5
[3] Boards should have adequate access to cybersecurity expertise, and discussions about cyber risk management should be given regular time on board meeting agendas
[2] Directors should understand the legal implications of cyber risks
[5] Board management discussions should include identification and qualification of financial exposure to cyber risks
[4] Directros should set the expectation that management will establish an enterprise wider cyber risk management framework
[1] Directors need to understand and approach cybersecurity as a strategic, enterprise risk, not just an IT risk
46
Enterprise Governance
- Develop and operate business-enabling capabilities through the use of information systems is the primary mission of IT or INFOROMATION SECURITY
- Develop a program of risk management, security privacy , and compliance is the primary mission of IT or INFOROMATION SECURITY
- IT
- INFORMATION SECURITY
46
Enterprise Governance
What are the 3 chief title/roles that typically exist within an organisation within the executive team
- CHIEF INFORMATION OFFICER (CIO)
- CHIEF TECHNICAL OFFICER (CTO)
- CHIEF INFORMATION SECURITY OFFICER (CISO)
47
Enterprise Governance
What are the 3 key areas that executive management should be involved in;
- ____ : Security policies developed by the information security function should be visibility endorsed
- ____ : The executive team should not exhibit behaviour suggesting they are “above” security policy
- ____ : Responsible for all actions carried out by the personnel who report to them
- RATIFY CORPORATE SECURITY POLICY
- LEAD BY EXAMPLE
- ULTIMATE RESPONSIBILITY
47
Enterprise Governance
Who or which group is typically responsible for the following;
- Risk treatment deliberation and recommendation
- Discussion and coordination of IT and security projects
- Review of recent risk assessments
- Discussion on new laws, regulations, and requirements
- Review of recent security incidents
STEERING COMMITTEE
47/48
Enterprise Governance
A business process and business asset owner is typically someone of a TECHNICAL or NON TECHNICAL background in a SUPPORT or MANAGEMENT role
- NON TECHNICAL
- MANAGEMENT
48
Enterprise Governance
The responsibilities of business process and business asset owners includes which 7 functions;
[ ] Access grants
[ ] Access revocation
[ ] Access disposal
[ ] Access reviews
[ ] Configuration
[ ] Editing
[ ] Function definition
[ ] Safety documentation
[ ] Process definition
[ ] Physical location
[X] Access grants
[X] Access revocation
[ ] Access disposal
[X] Access reviews
[X] Configuration
[ ] Editing
[X] Function definition
[ ] Safety documentation
[X] Process definition
[X] Physical location
48
Enterprise Governance
As a result of asset owners not being involved in the day to day activities related to managing their assets, and other teams acting as proxy to grant and revoke access, what should they do periodically to get a better assessment on their assets
PERIODIC REVIEW
49
Enterprise Governance
In origanisations that do not have a CISO, this hampers the visibility and importance of information security and often results in information security being what sort of function i.e. concerned with primary defenses such as firewalls, antivirus, and other tools, and excluding strategy level information security.
TACTICAL FUNCTION
50
Enterprise Governance
Not having a CISO often results in teh absence of a security program and the organisations general lack of priority for and awareness of relevent (i) ____ , (ii) ____ , and (iii) ____
- RISKS
- THREATS
- VULNERABILITIES
50
Enterprise Governance
A glance at the title of the highest-ranking infromation security position in a large organisation reveals much about the executive managements opinion on information security. The following defines what role as the highest ranking position;
“Information security is tactical and often views as consisting only of antivirus software and firewalls. The role has no visibility into the development of business objectives. EXecutives consider security as unimportant and based on technology only”
SECURITY MANAGER
50
Enterprise Governance
A glance at the title of the highest-ranking infromation security position in a large organisation reveals much about the executive managements opinion on information security. The following defines what role as the highest ranking position;
“Information security is essential and has moderate decision making capability but little influence on the business. May have little visibility of overall business strategies and little or no access to exectuvei management or the board of directors”
SECURITY DIRECTOR
50
Enterprise Governance
A glance at the title of the highest-ranking infromation security position in a large organisation reveals much about the executive managements opinion on information security. The following defines what role as the highest ranking position;
“Information security is strategic but does not influence business strategy and objectives. The role has access to exectuvei management and possibility the board of directors”
VICE PRESIDENT
50
Enterprise Governance
A glance at the title of the highest-ranking infromation security position in a large organisation reveals much about the executive managements opinion on information security. The following defines what role as the highest ranking position;
“Information security is strategic, and business objectives are developed with full consideration for risk. The C-level security person has free access to exectuive management and the board of directors”
CISO/CIRO/CRO/CSO/vCISO
50
Enterprise Governance
The role of a Chief Privacy Officer (CPO) aka Data Protection Officer (DPO) may be required because the organisation stores vast amounts of data which contains what in relation to individuals
PERSONALLY IDENTIFIABLE INFORMATION
(PII)
51
Enterprise Governance
“A role that typically includes oversight over policy and organisation functions that come into scope for regulations and standards”
This is a definition of what role
CHIEF COMPLIANCE OFFICER
(CPO)
51
Enterprise Governance
“responsible for overall information systems architecture in the organisation”
This is the definition of which software development role
SOFTWARE ARCHITECT
51
Enterprise Governance
“Involved with the design of applications, including changes in applications original design”
This is the definition of which software development role
SYSTEMS ANALYST
51
Enterprise Governance
“Develops application software, custome interfaces, application customisations etc.”
This is the definition of what software development role
SOFTWARE ENGINEER/DEVELOPER
51
Enterprise Governance
“Responsible for data architecture and management in large organisations”
This is the definition of what Data Management role
DATA MANAGER
52
Enterprise Governance
“develops logical and physical designs of data models for applications”
This is the definition of what Data Management role
DATA ARCHITECT
52
Enterprise Governance
“Develops data models and data analystics for large, complex data sets”
This is the definition of what Data Management role
BIG DATA ARCHITECT
52
Enterprise Governance
“Builds and maintains databases designed by the database architect and databases that are included as part of purchased applications”
This is the definition of what Data Management role
DATABASE ADMINISTRATOR
(DBA)
52
Enterprise Governance
“performs tasks that are junior to the DBA, carrying out routine data maintenance and monitoring tasks”
This is the definition of what Data Management role
DATABASE ANALYST
52
Enterprise Governance
“Applies scientific methods, builds processes, andi mplements systems to extract knowledge or insights from data”
This is the definition of what Data Management role
DATA SCIENTEST
52
Enterprise Governance
“designs data and voice networks and designs changes and upgrades to networks”
This is the definition of which Network Management role
NETWORK ARCHITECT
52
Enterprise Governance
“implements, configures, and maintains network devices such as router,s switches, firewalls, and gateways”
This is the definition of which Network Management role
NETWORK ENGINEER
52
Enterprise Governance
“Performs routine tasks in the network, such as making configuration changes and monitoring event logs”
This is the definition of which Network Management role
NETWORK ADMINISTRATOR
52
Enterprise Governance
“works with telecommunications technologies such as telecom services, data circuits, phone systems etc.”
This is the definition of which Network Management role
TELECOM ENGINEER
52
Enterprise Governance
“responsible for the overall architectur of systems (usually servers) in terms of the internal architectur of a system and the relationship between systems”
This is the definition of which Systems Management role
SYSTEMS ARCHITECT
53
Enterprise Governance
“responsible for designing, building, and maintaining servers and server operating systems”
This is the definition of which Systems Management role
SYSTEMS ENGINEER
53
Enterprise Governance
“responsible for designing, building, and maintaining storage subsystems”
This is the definition of which Systems Management role
STORAGE ENGINEER
53
Enterprise Governance
“responsible for performing maintenance and configuration opreations on systems”
This is the definition of which Systems Management role
SYSTEMS ADMINISTRATOR
53
Enterprise Governance
“responsible for overall operations carried out by others”
This is the definition of which IT Operations role
OPERATIONS MANAGER
53
Enterprise Governance
“responsible for developing operational procedures, examining the health of networks, systems, and databases, setting and monitoring operations schedule, and maintaining operations records”
This is the definition of which IT Operations role
OPERATIONS ANALYST
53
Enterprise Governance
“monitors batch jobs, data entry work, and other tasks to make sure they are operating correctly”
This is the definition of which IT Operations role
CONTROLS ANALYST
53
Enterprise Governance
“responsible for monitoring systems and networks, perfroming backup tasks, running batch kobs, printing reports, and perfroming other operational tasks”
This is the definition of which IT Operations role
SYSTEMS OPERATOR
53
Enterprise Governance
“responsible for maintaining and tracking the use and whereabouts of backup volumes”
This is the definition of which IT Operations role
MEDIA MANAGER
53
Enterprise Governance
“responsible for performing risk assessements and maintaining the risk register”
This is the definition of which Governance, Risk, and Compliance (GRC) role
RISK MANAGER
54
Enterprise Governance
“responsible for maintaining security and privacy policy documents and related information. Works closley with the risk manager, identifying risks that may identify the need for new andupdated policy”
This is the definition of which Governance, Risk, and Compliance (GRC) role
POLICY MANAGER
54
Enterprise Governance
“responsible for maintaining security controls, advising control owners on responsibilities and expectations, and assessing controls for effectiveness”
This is the definition of which Governance, Risk, and Compliance (GRC) role
CONTROLS MANAGER
54
Enterprise Governance
“responsible for assessing new and existing vencors and service providers, identifying and reporting on risks, and developing mitigation strategies”
This is the definition of which Governance, Risk, and Compliance (GRC) role
THIRD-PARTY RISK MANGEMENT
54
Enterprise Governance
“responsible for data classification policy and serves as a governance function to manage the organisations use of information”
This is the definition of which Governance, Risk, and Compliance (GRC) role
INFORMATION GOVERNANCE
54
Enterprise Governance
“responsible for developing and delivering content of various types to enable the workforce to understand their informationsecurity and privacy responsibilities”
This is the definition of which Governance, Risk, and Compliance (GRC) role
SECURITY AWARENESS TRAINING
54
Enterprise Governance
“responsible for developing and executing communications plans to keep employees, customers, regulators, and shareholders information of business emergencies and disruptive events”
This is the definition of which Business Resilience role
CRISIS COMMUNCIATIONS
54
Enterprise Governance
“responsible for developing and executing plans to manage business emergencies when they occur”
This is the definition of which Business Resilience role
CRISIS MANAGEMENT
54
Enterprise Governance
“responsible for conducting business impact analysis and criticality analysis and for developing and testing business continuity plans”
This is the definition of which Business Resilience role
BUSINESS CONTINUITY PLANNING
54
Enterprise Governance
“responsible for developing and testing procedures that ensure information systems continued operation and recovery when disruptive events occur”
This is the definition of which Business Resilience role
DISASTER RECOVERY PLANNING
54
Enterprise Governance
“responsible for designing technical security controls, systems, and solutions in contexts such as authentication, audit logging, IDS, IPS, access control, antimalware, and firewalls”
This is the definition of which Security Operations role
SECURITY ARCHITECT
54
Enterprise Governance
“responsible for designing, building, and maintaining security services and systems designed by the security architect”
This is the definition of which Security Operations role
SECURITY ENGINEER
55
Enterprise Governance
“responsible for examining logs from firewalls and IDS and auit logs from systems and applications”
This is the definition of which Security Operations role
SECURITY ANALYST
55
Enterprise Governance
“responsible for conducting forensic investigationson information systems to identify the presence and effect of malware, misbehaviour of employees, and actions taken by intruders”
This is the definition of which Security Operations role
FORENSICS ANALYST
55
Enterprise Governance
“responsible for using tools to identify vulnerabilities ininformation systems and advising system owners to develop mitigation strategies”
This is the definition of which Security Operations role
PENETRATION TESTER
55
Enterprise Governance
“responsible for accepting approved requests for user access management changes”
This is the definition of which Security Operations role
ACCESS ADMINISTRATOR
55
Enterprise Governance
“responsible for audit operations and scheulding and managing audtis”
This is the definition of which Security Audit role
SECURITY AUDIT MANAGER
55
Enterprise Governance
“responsible for performing internal audits of IT controls to ensure that they are operated properly”
This is the definition of which Security Audit role
SECURITY AUDITOR
55
Enterprise Governance
“serves as a liaison between end users and the IT service desk department”
This is the definition of which Service Desk role
SERVICE DESK MANAGER
55
Enterprise Governance
“responsible for providing frontline user support services to personnel in the organisation”
This is the definition of which Service Desk role
SERVICE DESK ANALYST
55
Enterprise Governance
“responsible for facilitating quality improvement activities throughout the IT organisations”
This is the definition of which Quality Assurance role
QA MANAGER
56
Enterprise Governance
“responsible for providing technical support services to other IT personnel and IT customers”
This is the definition of which Service Desk role
TECHNICAL SUPPORT ANALYST
55
Enterprise Governance
“responsible for testing IT systems and applications to confirm whether they are free of defects”
This is the definition of which Quality Assurance role
QC MANAGER
56
Enterprise Governance
“responsible for maintaining business relationships with external vendors, measuring their performance, and handling business issues”
This is the definition of which organisational role
VENDOR MANAGER
56
Enterprise Governance
“responsible for performing tasks supporting numerous functions in IT, information security, and privacy organisations”
This is the definition of which organisational role
BUSINESS ANALYST
56
Enterprise Governance
*“responsible for creating project plans and managing IT and securtiy projtects”(
This is the definition of which organisational role
PROJECT MANAGER
56
Enterprise Governance
“repsonsible for financial planning and budget management for IT”
This is the definition of which organisational role
FINANCE MANAGER
56
Enterprise Governance
General staff have what 4 security related responsibilities as part of their employement;
[ ] Understanding and complaying with security policy
[ ] Challenging suspicous people in the business
[ ] Acceptable use of organisation assets
[ ] Proper judgement and proper responses to requests for information
[ ] Monitoring personal computer logs for suspicious activity
[ ] Reporting security-related incidents
[ ] Telling off other staff members non compliant with security policies
[X] Understanding and complaying with security policy
[ ] Challenging suspicous people in the business
[X] Acceptable use of organisation assets
[X] Proper judgement and proper responses to requests for information
[ ] Monitoring personal computer logs for suspicious activity
[X] Reporting security-related incidents
[ ] Telling off other staff members non compliant with security policies
56
