01. Information Security Strategy Development Flashcards by C MC

Information Security Strategy Development

What is a strategy

the plan to achieve and objective

The path you have outlined to get from current state to strategic objective
From where you are to where you want to be

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

Strategic objectives:
The desired state, and the strategy to get there, must be in alignment with the organisation and its strategy and objectives

Business Alignment

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

Strategic objectives:
An organisations information security program implicitly drives an organisation toward a specific level of risk, which may or may not align with the organisations true level of risk appetite

Risk Appetite Alignment

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

Strategic objectives:
A security program must include a risk management policy, processes, and procedures. Without this, decisions are made blindly without regard to their consequences

Effective Risk Management

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

Strategic objectives:
The desired state of the security program should include a focus on continual improvement and increasing efficiency. The budget is not limitless

Value Delivery

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

Strategic objectives:
Strategic goals should efficiently utilize available resources i.e. only having the neccessary staff to meet the strategic objectives

Resource Optimization

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

Strategic objectives:
It is important for stategic objectives to be SMART (Specific, Measurable, Achievable, Relevant, Time-related) and measurable, giving management an opportunity to drive continual improvement

Performance Measurement

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

Strategic objectives:
An effective strategy will work to break down silos of separate assurance processes and consolidate assurace processes, reducing hidden risk

Assurance Process Integration

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

A strategy is a means to achieve an objective. The strategy in itself will have objectives. 7 objectives of an information security strategy

Business Alignment
Risk Appetite Alignment
Effective Risk Management
Value Devliery
Resource Optimization
Performance measurement
Assurance Process Integration

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

Strategy Participants:
Explicitly responsible for establishing risk appetite and should have a clear understanding of the level of risk they desire for the organisation

Board of Directors

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

Strategy Participants:
Personnel responsible for corporate governance. They impart decisions and attitudes about risk

Executive Management

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

Strategy Participants:
Must be an effective communicator and must be able to sell the strategy to business leaders. They must be able to effectively get the executives and board members onboard or else the strategy has little chance of succeeding

Security Leader

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

Strategy Participants:
Must be able to collaborate with one another and with others in the organisation to contribute to the development of strategy details. Must be able to;
1. identify specialities in information security
2. recognize essential improvement areas
3. articulate improvement plans to security leaders and other leaders

Security Team

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

Strategy Participants:
These people understand their business models, strategies, goals, objectives, and operations. Security leaders must collaborate with them to help align the security strategy to business needs and objectives

Business Leaders

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

Strategy Participants:
Trusted professionals with whom the security leader can consult with

Outside Experts

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

Before an information security strategy can be developed, it is first necessary to understand what

Everything that is in place currently

Understand the lay of the land, establishing a starting point

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

It is not possibly to mapy out future security capabilities without first understanding the organisations current what

State and Capabilities

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

A tool used to establish the needs to be filled between a current state and a desired state

Gap Analysis

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

Two input assessments that must be considered before objectives for an information security objectives can be defined

Risk Assessments

Risk Assessment
Threat Assessment

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

One a risk and threat assessment has been completed, the security strategist can develop ____ or validate if established ones already will satisfactorily address ____ and ____ identified.

Risk Assessments

Strategic Objectives
Risks
Threats

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

A strategist shuld choose to have a risk assessment performed. This will help them to understand what 3 key things

Risk Assessments

Threat Scenarios
Estimated Impact
Frequency of Occurrence

Threat, Likelihood, Impact

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

What is the purpose of a threat assessment

Threat Assessments

Understand relevant threats

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

A threat assessment focuses on external threats and threat scenarios, regardless of what

Threat Assessments

The presence or effectiveness of preventive or detective controls

How well did you know this?

Not at all

Perfectly

Information Security Strategy Development

What may give a security strategist insight into the maturity of the organisations security program

Threat Assessments

Historical Threat Assessments

How well did you know this?

Not at all

Perfectly

# Information Security Strategy Development **Aspects of Security Policy:** What subject areas are covered by the policy. Does it include expected devices such as mobile phones, computers, laptops ## Footnote Policy

Breadth of Coverage ## Footnote 67

# Information Security Strategy Development **Aspects of Security Policy:** Does the policy include content on new technologies and practices ## Footnote Policy

Relevance

# Information Security Strategy Development **Aspects of Security Policy:** How frequently is the policy communicated and what levle of understanding does the workforce have of it ## Footnote Policy

Policy Communication ## Footnote 67

# Information Security Strategy Development **Aspects of Security Policy:** Does the policy address a shift in the manner of working or ways of the workforce achieving working objectives i.e. shift to working from home during the pandemic ## Footnote Policy

Workforce Transformation ## Footnote 67

# Information Security Strategy Development **Aspects of Security Policy:** Does the policy outline prohibited behaviours or define limits ## Footnote Policy

Policy Strictness ## Footnote 67

# Information Security Strategy Development **Aspects of Security Policy:** Does policy specify expectations for adherence or outline the consequences of non compliance ## Footnote Policy

Accountability and Consequences ## Footnote 67

# Information Security Strategy Development **Aspects of Security Policy:** Is it clearly defined what the margin of compliance should be. Does the organisation reflect good practicies and is the organisation meeting most or all of them ## Footnote Policy

Compliance ## Footnote 68

# Information Security Strategy Development **Aspects of Security Policy:** When was the policy last updated, reviewed and approved ## Footnote Policy

Last Management Review ## Footnote 68

# Information Security Strategy Development Describes the detail, the methods, techniques, technologies, specifications, brands, and configurations to be used throughout the organisation

Standards ## Footnote 68

# Information Security Strategy Development Standards can be highly detailed, which means things are detailed ____ or they can be ____ (less detailed)

1. Configuration item by configuration item 2. Principle-based ## Footnote Principle based means engineers can exercise a wide latitude when implementing standards 68

# Information Security Strategy Development Written typically for personnel who need extra guidance on how to adhere to a policy

Guidelines ## Footnote 68

# Information Security Strategy Development What are the 2 elements of technical debt in regards to consideration of the organisations architecture ## Footnote Architecture

1. Poor Design 2. Outdated and unsupported components ## Footnote Poor Design - poor design causes subequency changes that are less than optimal, degrading the environment further Outdated and unsupported components - require effort and time to troubleshoot/replace 69

# Information Security Strategy Development Knowing whether controls are documented or not is not as effective as knowing whether they are what

Effective ## Footnote 70

# Information Security Strategy Development 3 things a strategist should look to understand when reviewing controls

1. Owner 2. Purpose 3. Scope ## Footnote 70

# Information Security Strategy Development 2 methods for a strategist to execute to understand if controls are actually being implemented

1. Interviews 2. Observation ## Footnote 70

# Information Security Strategy Development What will an inventory of skills help a strategist understand in regards to employees

What can they accomplish ## Footnote If the skills within the organisation do not exist to achieve a strategic objective, the strategy will fail 70

# Information Security Strategy Development A means to indicate the state of an infomration security program over time

Metrics ## Footnote Serve as a guide to long term effectiveness of security controls 71

# Information Security Strategy Development When implementing and reviewing metrics, what must a strategist understand

The Audience ## Footnote Who were the metrics intended for i.e. internal security operations use only, or executive management, end users etc.. 71

# Information Security Strategy Development Why is it essential to understand what assets you have

You cannot protect what you do not know about ## Footnote 71

# Information Security Strategy Development What insight can a strategist obtain from a well documented risk register

1. Risk management program 2. Risk analysis activities in the organisation ## Footnote 72

# Information Security Strategy Development A business record reflecting the history and findings from risk assessments, threat assessments, vulnerability assessments, security incidents, and other activities

Risk Register ## Footnote 72

# Information Security Strategy Development Ideally, if there is the existence of a cyber risk register, there should be effective communication between the person that owns the cyber risk register and the person that owns what

Enterprise Risk Register ## Footnote Enterprise Risk Management (ERM) 72

# Information Security Strategy Development

# Information Security Strategy Development A strategist may perform a vulnerability assessment to better understand the current ____ of the organisations ____

1. Security Posture 2. Technology Infrastructure ## Footnote 72

# Information Security Strategy Development What 2 key things may a strategist decipher from conducting a vulnerability assessment in terms of maturity levels

1. Operational Maturity 2. Security Maturity

# Information Security Strategy Development When a vulnerability assessment identifies consistency in vulnerabilities among similar systems, this may be an indication of what in regards to maturity

Greater Operational Maturity ## Footnote Highlights the likely use of automated patching tools as example since the findings are consistent 73

# Information Security Strategy Development When a vulnerability assessment identifies large numbers of vulnerabilities, in particular high or critical, this is an indication of what in regards to maturity

Low Security Maturity ## Footnote An indication the orgnaisation is not placing emphasis on basic security hygiene

# Information Security Strategy Development What is it important to understand for a strategist in regards to cyber insurance

Why it was purchased ## Footnote 73

# Information Security Strategy Development 4 key questions to consider in regards to a cyber security policy

1. Ransomware 2. Third Party Breach 3. Proactive Support 4. Incident Reporting and Assistance ## Footnote 1. What conditions will the policy pay 2. Losses covered by breach of third parties 3. What assistance is provided in an incident 4. Notication periods 74

# Information Security Strategy Development What are 3 key factors that contribute to the lack of visibility and control over critical and sensitive data that a strategist needs to try and understand

1. The Cloud 2. BYOA 3. BYOD ## Footnote Bring your own app Bring your own device Helps stratgeist understand the current state of security for critical data, and identify elements of a viable strategy to protect it 74

# Information Security Strategy Development Used to identify an organisations business processes, interdependencies between processes, resources required for process operation, and the impact on the organisation if any business processes are incapacitated for a given time

Business Impact Analysis (BIA) ## Footnote 75

# Information Security Strategy Development What will a Business Impact Analysis (BIA) highlight to a strategist in regards to business processes and underlying resources when developing a disaster recovery plan

Criticality ## Footnote Which processes receive the most attention 75

# Information Security Strategy Development What does a security incident log provide

History of security incidents ## Footnote 75

# Information Security Strategy Development The process of assessing risk on a service provider prior to an organisation electing to use their services

Up-front due dilligence ## Footnote 76

# Information Security Strategy Development What is a key reason for an organisation to conduct an up-front due dilligence risk assessment of a third party before contracting their services

Provides opportunity for organisation to contractually enforce security terms and conditions ## Footnote 76

# Information Security Strategy Development The organisation analyses the strategic importance of the service provider in terms of contract value and service critically in context to the organisation ## Footnote Up-front risk assessemtn of a third party

Relationship Risk Assessment ## Footnote 76

# Information Security Strategy Development An analysis of a service providers financial health and geopolitical risk ## Footnote Up-front risk assessemtn of a third party

Inherent Risk Assessment ## Footnote 76

# Information Security Strategy Development An analysis of controls that an organisation would like a service provider to use ## Footnote Up-front risk assessemtn of a third party

Control Risk Assessment ## Footnote 76

# Information Security Strategy Development The practice of assigning a risk "level" to a service provider based on the nature of the service they provide to the organisation and criticality ## Footnote Up-front risk assessemtn of a third party

Risk Tiering ## Footnote 76

# Information Security Strategy Development When examining audit results, a security strategist should understand which 4 key things

1. Objective 2. Scope 3. Qualification of auditor 4. Audit methodologies ## Footnote 77

# Information Security Strategy Development In order to rdefine a security strategy, in regards to people, what is critical for a strategist to understand about the organisation

Culture ## Footnote 78

# Information Security Strategy Development 4 key areas for a security strategist to understand in regards to an organisations culture

1. Leadership 2. Accountability 3. Empowerment 4. Security Awareness Buy-In ## Footnote 1. Do management abide by their own rules and policies 2. Evidence that an organisation enforces policies 3. Can employees do something and ask for forgiveness, or must they seek permission first 4. Investigate the organisations security awareness program 78

# Information Security Strategy Development After performing a risk and threat assessment and reviewing the state of the security program, the strategic objectives of a security strategy will fall into one of 6 categories

1. Improvements to **protective controls** 2. Improvements in **incident visibility** 3. Improvements in **incident response** 4. Reductions in **risk**, including compliance risk 5. Reductions in **cost** 6. Increased **resiliency** of key business systems ## Footnote 79

# Information Security Strategy Development A gap assessment should focus on several aspects of a security program. This should include one or more of the following areas

1. Business alignment 2. Existing/previous strategy 3. Security program charter 4. Security Policy 5. Security Standards 6. Security Procedures 7. Security Guidelines 8. Security Controls 9. Risk Assessments 10. Internal and External Audit Results 11. Security Metrics 12. Risk Register 13. Risk treatment decisions 14. Security incident program 15. Security incident records 16. Third party risk 17. BCP and DR 18. Security awareness training program 19. IT and Security projects ## Footnote 82

# Information Security Strategy Development A sparse or nonexistent security incident log may be an indication of what 3 key things

1. Lack of visibility 2. Lack of training and recognition ability 3. Only watching for "black swan" events, missing routine incidents ## Footnote 82

# Information Security Strategy Development A tool used in the support of strategy planning which provides insight into 4 specific areas

SWOT Analysis 1. Strenghts 2. Weakness 3. Opportunities 4. Threats ## Footnote 83

# Information Security Strategy Development CMMI-DEV

Capability Maturity Model Integration for Development ## Footnote 84

# Information Security Strategy Development The 5 levels of maturity within the CMMI-DEV model

1. Intial 2. Repeatable 3. Defined 4. Managed 5. Optimizing ## Footnote 84

# Information Security Strategy Development **CMMI-DEV model level;** A process that is ad hoc,inconsistent, unmeasured, and unrepeatable

Level 1: Initial ## Footnote 84

# Information Security Strategy Development **CMMI-DEV model level;** A process is performed consistently and with the same outcome. May or may not be documented

Level 2: Repeatable ## Footnote 84

# Information Security Strategy Development **CMMI-DEV model level;** A process that is well defined and well documented

Level 3: Defined ## Footnote 84

# Information Security Strategy Development **CMMI-DEV model level;** A uantitatively measured process with one or more metrics

Level 4: Managed ## Footnote 84

# Information Security Strategy Development **CMMI-DEV model level;** A measured process that is under continuous improvement

Level 5: Optimizing ## Footnote 84

# Information Security Strategy Development Security policies should be designed to be durable and not tied to specific what

Technologies ## Footnote Significant changes in technology could put policies at odds with the technology 85

# Information Security Strategy Development It is common practice to structure an organisations security policy using one or more of the following revelant frameworks

1. NIST SP 800-53 2. NIST SP 800-171 / NIST SP 800-172 3. ISO/IEC 27001 / ISO/IEC 27002 4. COBIT 5. HIPAA 6. PCS DSS 7. CIS CSC ## Footnote 86

# Information Security Strategy Development What is the risk associated with not obtaining stakeholder support and buy in when policies are written

Deploying policies that cannot be adhered to ## Footnote 86

# Information Security Strategy Development Controls are generally changed as a result of what

Risk Assessment ## Footnote 86

# Information Security Strategy Development An organisation shuld select a control framework that best aligns with what

Industry ## Footnote 87

# Information Security Strategy Development A policy will define ____ A standard will define ____

1. **What** is to be done 2. **How** policies are carried out ## Footnote Policy will say you must use strong passwords A standard will define character length, character usage etc. 87

# Information Security Strategy Development Describe the steps to be followed when carrying out functions and tasks

Processes and Procedures ## Footnote 88

# Information Security Strategy Development What are the 2 key things that a security strategy will obtain when it achieves management committment

1. Funding 2. Resources ## Footnote 91

# Information Security Strategy Development When trying to obtain management committment to a security strategy, the security strategist should avoid using fear, uncertainty, and doubt (FUD). It should instead be presented how

Business Terms and Business Opportunities ## Footnote 91

# Information Security Strategy Development A tendancy for people within the organisation to think that change is bad ## Footnote Contraint, obstacle, or other strategy contraints

Resistance to Change ## Footnote 92

# Information Security Strategy Development A pattern of thinking which people eblieve that because a disaster or breach has never occured, it never will ## Footnote Contraint, obstacle, or other strategy contraints

Normalcy Bias ## Footnote 92

# Information Security Strategy Development A collection of values and behaviours that contribute to the uneique social and psychological environment of the organisation ## Footnote Contraint, obstacle, or other strategy contraints

Culture ## Footnote 92

# Information Security Strategy Development 4 different cultural contraints ## Footnote Contraint, obstacle, or other strategy contraints

1. Strong Culture 2. Weak Culture 3. Culture of Fear 4. Healthy Culture ## Footnote 1. Personnel understand and support the organisational goals and objectives and need little encouragement 2. Culture not well aligned with the organisation 3. Workers distrust management, who act as tyrants 4. Workers and management respect each other and have a strong sense of accountability 92

# Information Security Strategy Development Understanding "who owns what turf" and establishing the correct relationships to better support the security strategy ## Footnote Contraint, obstacle, or other strategy contraints

Organisational Structure ## Footnote 93

# Information Security Strategy Development A security strategy cannot succeed if the requisit skills do not exist to execute it ## Footnote Contraint, obstacle, or other strategy contraints

Staff Capabilities ## Footnote 93

# Information Security Strategy Development The need for a security strategist to understand with a degree of precision the hard and soft costs associated with elements of the security strategy ## Footnote Contraint, obstacle, or other strategy contraints

Budget and Cost ## Footnote 93

# Information Security Strategy Development Project initiatives within the security strategy are not all delivered within the same time frames and need effective project management and setting of expectations ## Footnote Contraint, obstacle, or other strategy contraints

Time ## Footnote 94

# Information Security Strategy Development Items included in a strategy because they are governed by external sources. For example, implementing a WAF to meet PCS DSS compliance ## Footnote Contraint, obstacle, or other strategy contraints

Legal and Regulatory Obligations ## Footnote 94

# Information Security Strategy Development Understanding the risk appetite alignment and impact which define to what extent elements of a security strategy could be executed successfully, or even adopted ## Footnote Contraint, obstacle, or other strategy contraints

Acceptable Risk ## Footnote 95

# Information Security Strategy Development 3 key components which form the body known as "the obstacle of organisational interia" ## Footnote Things done in the same way until change is exerted, which meets resistance Contraint, obstacle, or other strategy contraints

1. Operational people performing change 2. Learning curve 3. Human resistance to change ## Footnote 1. Business processes undergoing change must continue operation. Change should be enacted slowly and carefully to avoid operational impact 2. Significant change requires personnel to learn new systems, processes, and procedures 3. Human resistance to change