01. Information Security Strategy Development Flashcards
Information Security Strategy Development
What is a strategy
the plan to achieve and objective
The path you have outlined to get from current state to strategic objective
From where you are to where you want to be
63
Information Security Strategy Development
Strategic objectives:
The desired state, and the strategy to get there, must be in alignment with the organisation and its strategy and objectives
Business Alignment
63
Information Security Strategy Development
Strategic objectives:
An organisations information security program implicitly drives an organisation toward a specific level of risk, which may or may not align with the organisations true level of risk appetite
Risk Appetite Alignment
63
Information Security Strategy Development
Strategic objectives:
A security program must include a risk management policy, processes, and procedures. Without this, decisions are made blindly without regard to their consequences
Effective Risk Management
63
Information Security Strategy Development
Strategic objectives:
The desired state of the security program should include a focus on continual improvement and increasing efficiency. The budget is not limitless
Value Delivery
Information Security Strategy Development
Strategic objectives:
Strategic goals should efficiently utilize available resources i.e. only having the neccessary staff to meet the strategic objectives
Resource Optimization
64
Information Security Strategy Development
Strategic objectives:
It is important for stategic objectives to be SMART (Specific, Measurable, Achievable, Relevant, Time-related) and measurable, giving management an opportunity to drive continual improvement
Performance Measurement
64
Information Security Strategy Development
Strategic objectives:
An effective strategy will work to break down silos of separate assurance processes and consolidate assurace processes, reducing hidden risk
Assurance Process Integration
64
Information Security Strategy Development
A strategy is a means to achieve an objective. The strategy in itself will have objectives. 7 objectives of an information security strategy
- Business Alignment
- Risk Appetite Alignment
- Effective Risk Management
- Value Devliery
- Resource Optimization
- Performance measurement
- Assurance Process Integration
64
Information Security Strategy Development
Strategy Participants:
Explicitly responsible for establishing risk appetite and should have a clear understanding of the level of risk they desire for the organisation
Board of Directors
64
Information Security Strategy Development
Strategy Participants:
Personnel responsible for corporate governance. They impart decisions and attitudes about risk
Executive Management
65
Information Security Strategy Development
Strategy Participants:
Must be an effective communicator and must be able to sell the strategy to business leaders. They must be able to effectively get the executives and board members onboard or else the strategy has little chance of succeeding
Security Leader
65
Information Security Strategy Development
Strategy Participants:
Must be able to collaborate with one another and with others in the organisation to contribute to the development of strategy details. Must be able to;
1. identify specialities in information security
2. recognize essential improvement areas
3. articulate improvement plans to security leaders and other leaders
Security Team
65
Information Security Strategy Development
Strategy Participants:
These people understand their business models, strategies, goals, objectives, and operations. Security leaders must collaborate with them to help align the security strategy to business needs and objectives
Business Leaders
65
Information Security Strategy Development
Strategy Participants:
Trusted professionals with whom the security leader can consult with
Outside Experts
65
Information Security Strategy Development
Before an information security strategy can be developed, it is first necessary to understand what
Everything that is in place currently
Understand the lay of the land, establishing a starting point
65
Information Security Strategy Development
It is not possibly to mapy out future security capabilities without first understanding the organisations current what
State and Capabilities
65
Information Security Strategy Development
A tool used to establish the needs to be filled between a current state and a desired state
Gap Analysis
65
Information Security Strategy Development
Two input assessments that must be considered before objectives for an information security objectives can be defined
Risk Assessments
- Risk Assessment
- Threat Assessment
65
Information Security Strategy Development
One a risk and threat assessment has been completed, the security strategist can develop ____ or validate if established ones already will satisfactorily address ____ and ____ identified.
Risk Assessments
- Strategic Objectives
- Risks
- Threats
66
Information Security Strategy Development
A strategist shuld choose to have a risk assessment performed. This will help them to understand what 3 key things
Risk Assessments
- Threat Scenarios
- Estimated Impact
- Frequency of Occurrence
Threat, Likelihood, Impact
66
Information Security Strategy Development
What is the purpose of a threat assessment
Threat Assessments
Understand relevant threats
67
Information Security Strategy Development
A threat assessment focuses on external threats and threat scenarios, regardless of what
Threat Assessments
The presence or effectiveness of preventive or detective controls
67
Information Security Strategy Development
What may give a security strategist insight into the maturity of the organisations security program
Threat Assessments
Historical Threat Assessments
Information Security Strategy Development
Aspects of Security Policy:
What subject areas are covered by the policy. Does it include expected devices such as mobile phones, computers, laptops
Policy
Breadth of Coverage
67
Information Security Strategy Development
Aspects of Security Policy:
Does the policy include content on new technologies and practices
Policy
Relevance
Information Security Strategy Development
Aspects of Security Policy:
How frequently is the policy communicated and what levle of understanding does the workforce have of it
Policy
Policy Communication
67
Information Security Strategy Development
Aspects of Security Policy:
Does the policy address a shift in the manner of working or ways of the workforce achieving working objectives i.e. shift to working from home during the pandemic
Policy
Workforce Transformation
67
Information Security Strategy Development
Aspects of Security Policy:
Does the policy outline prohibited behaviours or define limits
Policy
Policy Strictness
67
Information Security Strategy Development
Aspects of Security Policy:
Does policy specify expectations for adherence or outline the consequences of non compliance
Policy
Accountability and Consequences
67
Information Security Strategy Development
Aspects of Security Policy:
Is it clearly defined what the margin of compliance should be. Does the organisation reflect good practicies and is the organisation meeting most or all of them
Policy
Compliance
68
Information Security Strategy Development
Aspects of Security Policy:
When was the policy last updated, reviewed and approved
Policy
Last Management Review
68
Information Security Strategy Development
Describes the detail, the methods, techniques, technologies, specifications, brands, and configurations to be used throughout the organisation
Standards
68
Information Security Strategy Development
Standards can be highly detailed, which means things are detailed ____ or they can be ____ (less detailed)
- Configuration item by configuration item
- Principle-based
Principle based means engineers can exercise a wide latitude when implementing standards
68
Information Security Strategy Development
Written typically for personnel who need extra guidance on how to adhere to a policy
Guidelines
68
Information Security Strategy Development
What are the 2 elements of technical debt in regards to consideration of the organisations architecture
Architecture
- Poor Design
- Outdated and unsupported components
Poor Design - poor design causes subequency changes that are less than optimal, degrading the environment further
Outdated and unsupported components - require effort and time to troubleshoot/replace
69
Information Security Strategy Development
Knowing whether controls are documented or not is not as effective as knowing whether they are what
Effective
70
Information Security Strategy Development
3 things a strategist should look to understand when reviewing controls
- Owner
- Purpose
- Scope
70