01. Information Security Program Resources

Question 1

Information Security Program Resources

The Information Security Program comprises of a collection of activities used to..

Answer 1

identify, communicate, and address risk

197

Question 2

Information Security Program Resources

The Security Program consists of…

Answer 2

Controls, processes, and practices

197

Question 3

Information Security Program Resources

Controls, processes, and practices within the security program are inteded to increase the resilience of the computing environment and ensure that risks are…

Answer 3

known and handled effectively

197

Question 4

Trends

Numerous organisations still consider cybersecurity as nonstrategic and tactical with security and privacy not part of initial designs of new procuts because security is not seen as…

Answer 4

an enabler but an impediment

198

Question 5

Outcomes

The primary outcome of a security program is the realisation of its…

Answer 5

strategy, goals, and objectives

198

Question 6

Outcome

When a security strategy is aligned with th ebusiness and its risk tolerance and operations, the security program will…

Answer 6

act as a business enabler

198

Question 7

Outcome

The outcomes that should be part of any information security program include…

Answer 7

1. Strategic Alignment
2. Risk Management
3. Value Delivery
4. Resource Management
5. Performance Management
6. Assurance Process Integration

199

Question 8

Outcome

Effective and efficient resource management over the security program and achieving its primary objectives of risk management and risk reduction will lead to a greater confidence in the business regarding the….

Answer 8

resource requests made by the security manager

199

Question 9

Outcome

An effective information security program will be aligned with other assurance processes and programs within an organisation, including…

Answer 9

1. Human Resources
2. Finance
3. Legal
4. Audit
5. Enterprise Risk Management (ERM)
6. Information Technology
7. Operations

199

Question 10

Charter

A formal, written definition of the obejctives of a program, its main timelines, sources of funding, names of principal leaders and managers, and the business executives sponsoring it

Answer 10

Charter

199

Question 11

Charter

A program charter document is typically approved by either…

Answer 11

CEO or Executive Leader

This demonstrates tehs upport from executive leadership to a program

199

Question 12

Charter

An information security program charter gives authority to the security leader to develop or perform several functions including..

Answer 12

1. Develop and enforce security policy
2. Develop and implement the risk management process
3. Develop and managing security governance
4. Develop and direct the implementation and operation of controls
5. Develop and direct the implementaiton of key security processes

199

Question 13

Charter

Whilst a security manager is the facilitator of a security program, ultimate responsibility or ownership for protecting information in the business is..

Answer 13

at the executive leadership and board of directors level

200

Question 14

Scope

The process by which management define the departments, business units, affiliates, and locations included in the information security program

Answer 14

Scope

200

Question 15

Scope

By identifying which parts of the organisation are to be included (in scope) and subject to information security governance and policy, the organisation have…

Answer 15

defined the boundaries of the program

200

Question 16

Scope

In large organisations, busines sunits or affiliates may have security programs of their own, which are defined as part of…

Answer 16

larger security program

A centralised security program may define the high level policies but each separate business unit has their own processes, personnel, and standards

200

Question 17

Information Security Processes

Information Security Processes fall into three major categories…

Answer 17

1. Risk and Compliance
2. Architecture
3. Operations

200

Question 18

Information Security Processes

Information Security Processes category 1:
Risk and compliance processes typically include….

Answer 18

1. Risk assesments and risk management
2. Security policy management
3. Security controls management
4. Requirements development
5. Compliance monitoring
6. Data classification and handling
7. Third-party risk management
8. Contingency planning
9. Access Governance
10. Security Awareness Training
11. Privacy

200

Question 19

Information Security Processes

Information Security Processes category 2:
Architecture processes typically include…

Answer 19

1. Reference architecture development
2. Architecture reviews
3. Technical Standards

201

Question 20

Information Security Processes

Information Security Processes category 3:
Security operations processes typically include…

Answer 20

1. Security event logging and monitoring
2. Security incident response
3. Forensics
4. Vulnerability management
5. Penetration testing
6. Threat intelligence
7. Identify and access management

201

Question 21

3 lines of defence

The three lines of defence functional model used to develop and operate controls

Answer 21

1. Control Development
2. Control Operation
3. Control Assurance

1. Information security or risk management function. Developed based on results of risk assessments
2. Assigned to teams or persons operating controls.
3. Independent audit function - controls are audited

201

Question 22

Information Security Technologies

Information security utilizes its own portfolio of protective and detective technologies in its function to protect “all things IT”

Answer 22

1. Foundation technologies
2. Endpoint protection
3. Network Protection
4. Data Protection
5. Identity and Access Management
6. Event Management
7. Vulnerability Management
8. Systems and Software Development
9. Governance, Risk and Compliance

See breakdown of technologies - LINK

202

Question 23

Information Security Technologies

There is only one valid reasons for adopting new security technology, which is that it is called for through…

Answer 23

risk analysis and risk treatment

All other reasons are invalid, often a result of peer pressure or emotional decision making.

203