01. Information Security Program Resources Flashcards
Information Security Program Resources
The Information Security Program comprises of a collection of activities used to..
identify, communicate, and address risk
197
Information Security Program Resources
The Security Program consists of…
Controls, processes, and practices
197
Information Security Program Resources
Controls, processes, and practices within the security program are inteded to increase the resilience of the computing environment and ensure that risks are…
known and handled effectively
197
Trends
Numerous organisations still consider cybersecurity as nonstrategic and tactical with security and privacy not part of initial designs of new procuts because security is not seen as…
an enabler but an impediment
198
Outcomes
The primary outcome of a security program is the realisation of its…
strategy, goals, and objectives
198
Outcome
When a security strategy is aligned with th ebusiness and its risk tolerance and operations, the security program will…
act as a business enabler
198
Outcome
The outcomes that should be part of any information security program include…
- Strategic Alignment
- Risk Management
- Value Delivery
- Resource Management
- Performance Management
- Assurance Process Integration
199
Outcome
Effective and efficient resource management over the security program and achieving its primary objectives of risk management and risk reduction will lead to a greater confidence in the business regarding the….
resource requests made by the security manager
199
Outcome
An effective information security program will be aligned with other assurance processes and programs within an organisation, including…
- Human Resources
- Finance
- Legal
- Audit
- Enterprise Risk Management (ERM)
- Information Technology
- Operations
199
Charter
A formal, written definition of the obejctives of a program, its main timelines, sources of funding, names of principal leaders and managers, and the business executives sponsoring it
Charter
199
Charter
A program charter document is typically approved by either…
CEO or Executive Leader
This demonstrates tehs upport from executive leadership to a program
199
Charter
An information security program charter gives authority to the security leader to develop or perform several functions including..
- Develop and enforce security policy
- Develop and implement the risk management process
- Develop and managing security governance
- Develop and direct the implementation and operation of controls
- Develop and direct the implementaiton of key security processes
199
Charter
Whilst a security manager is the facilitator of a security program, ultimate responsibility or ownership for protecting information in the business is..
at the executive leadership and board of directors level
200
Scope
The process by which management define the departments, business units, affiliates, and locations included in the information security program
Scope
200
Scope
By identifying which parts of the organisation are to be included (in scope) and subject to information security governance and policy, the organisation have…
defined the boundaries of the program
200
Scope
In large organisations, busines sunits or affiliates may have security programs of their own, which are defined as part of…
larger security program
A centralised security program may define the high level policies but each separate business unit has their own processes, personnel, and standards
200
Information Security Processes
Information Security Processes fall into three major categories…
- Risk and Compliance
- Architecture
- Operations
200
Information Security Processes
Information Security Processes category 1:
Risk and compliance processes typically include….
- Risk assesments and risk management
- Security policy management
- Security controls management
- Requirements development
- Compliance monitoring
- Data classification and handling
- Third-party risk management
- Contingency planning
- Access Governance
- Security Awareness Training
- Privacy
200
Information Security Processes
Information Security Processes category 2:
Architecture processes typically include…
- Reference architecture development
- Architecture reviews
- Technical Standards
201
Information Security Processes
Information Security Processes category 3:
Security operations processes typically include…
- Security event logging and monitoring
- Security incident response
- Forensics
- Vulnerability management
- Penetration testing
- Threat intelligence
- Identify and access management
201
3 lines of defence
The three lines of defence functional model used to develop and operate controls
- Control Development
- Control Operation
- Control Assurance
- Information security or risk management function. Developed based on results of risk assessments
- Assigned to teams or persons operating controls.
- Independent audit function - controls are audited
201
Information Security Technologies
Information security utilizes its own portfolio of protective and detective technologies in its function to protect “all things IT”
- Foundation technologies
- Endpoint protection
- Network Protection
- Data Protection
- Identity and Access Management
- Event Management
- Vulnerability Management
- Systems and Software Development
- Governance, Risk and Compliance
See breakdown of technologies - LINK
202
Information Security Technologies
There is only one valid reasons for adopting new security technology, which is that it is called for through…
risk analysis and risk treatment
All other reasons are invalid, often a result of peer pressure or emotional decision making.
203
