01. Information Security Strategy Development Flashcards

1
Q

Information Security Strategy Development

What is a strategy

A

the plan to achieve and objective

The path you have outlined to get from current state to strategic objective
From where you are to where you want to be

63

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Information Security Strategy Development

Strategic objectives:
The desired state, and the strategy to get there, must be in alignment with the organisation and its strategy and objectives

A

Business Alignment

63

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Information Security Strategy Development

Strategic objectives:
An organisations information security program implicitly drives an organisation toward a specific level of risk, which may or may not align with the organisations true level of risk appetite

A

Risk Appetite Alignment

63

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Information Security Strategy Development

Strategic objectives:
A security program must include a risk management policy, processes, and procedures. Without this, decisions are made blindly without regard to their consequences

A

Effective Risk Management

63

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Information Security Strategy Development

Strategic objectives:
The desired state of the security program should include a focus on continual improvement and increasing efficiency. The budget is not limitless

A

Value Delivery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Information Security Strategy Development

Strategic objectives:
Strategic goals should efficiently utilize available resources i.e. only having the neccessary staff to meet the strategic objectives

A

Resource Optimization

64

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Information Security Strategy Development

Strategic objectives:
It is important for stategic objectives to be SMART (Specific, Measurable, Achievable, Relevant, Time-related) and measurable, giving management an opportunity to drive continual improvement

A

Performance Measurement

64

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Information Security Strategy Development

Strategic objectives:
An effective strategy will work to break down silos of separate assurance processes and consolidate assurace processes, reducing hidden risk

A

Assurance Process Integration

64

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Information Security Strategy Development

A strategy is a means to achieve an objective. The strategy in itself will have objectives. 7 objectives of an information security strategy

A
  1. Business Alignment
  2. Risk Appetite Alignment
  3. Effective Risk Management
  4. Value Devliery
  5. Resource Optimization
  6. Performance measurement
  7. Assurance Process Integration

64

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Information Security Strategy Development

Strategy Participants:
Explicitly responsible for establishing risk appetite and should have a clear understanding of the level of risk they desire for the organisation

A

Board of Directors

64

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Information Security Strategy Development

Strategy Participants:
Personnel responsible for corporate governance. They impart decisions and attitudes about risk

A

Executive Management

65

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Information Security Strategy Development

Strategy Participants:
Must be an effective communicator and must be able to sell the strategy to business leaders. They must be able to effectively get the executives and board members onboard or else the strategy has little chance of succeeding

A

Security Leader

65

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Information Security Strategy Development

Strategy Participants:
Must be able to collaborate with one another and with others in the organisation to contribute to the development of strategy details. Must be able to;
1. identify specialities in information security
2. recognize essential improvement areas
3. articulate improvement plans to security leaders and other leaders

A

Security Team

65

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Information Security Strategy Development

Strategy Participants:
These people understand their business models, strategies, goals, objectives, and operations. Security leaders must collaborate with them to help align the security strategy to business needs and objectives

A

Business Leaders

65

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Information Security Strategy Development

Strategy Participants:
Trusted professionals with whom the security leader can consult with

A

Outside Experts

65

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Information Security Strategy Development

Before an information security strategy can be developed, it is first necessary to understand what

A

Everything that is in place currently

Understand the lay of the land, establishing a starting point

65

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Information Security Strategy Development

It is not possibly to mapy out future security capabilities without first understanding the organisations current what

A

State and Capabilities

65

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Information Security Strategy Development

A tool used to establish the needs to be filled between a current state and a desired state

A

Gap Analysis

65

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Information Security Strategy Development

Two input assessments that must be considered before objectives for an information security objectives can be defined

Risk Assessments

A
  1. Risk Assessment
  2. Threat Assessment

65

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Information Security Strategy Development

One a risk and threat assessment has been completed, the security strategist can develop ____ or validate if established ones already will satisfactorily address ____ and ____ identified.

Risk Assessments

A
  1. Strategic Objectives
  2. Risks
  3. Threats

66

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Information Security Strategy Development

A strategist shuld choose to have a risk assessment performed. This will help them to understand what 3 key things

Risk Assessments

A
  1. Threat Scenarios
  2. Estimated Impact
  3. Frequency of Occurrence

Threat, Likelihood, Impact

66

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Information Security Strategy Development

What is the purpose of a threat assessment

Threat Assessments

A

Understand relevant threats

67

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Information Security Strategy Development

A threat assessment focuses on external threats and threat scenarios, regardless of what

Threat Assessments

A

The presence or effectiveness of preventive or detective controls

67

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Information Security Strategy Development

What may give a security strategist insight into the maturity of the organisations security program

Threat Assessments

A

Historical Threat Assessments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Information Security Strategy Development

Aspects of Security Policy:
What subject areas are covered by the policy. Does it include expected devices such as mobile phones, computers, laptops

Policy

A

Breadth of Coverage

67

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Information Security Strategy Development

Aspects of Security Policy:
Does the policy include content on new technologies and practices

Policy

A

Relevance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Information Security Strategy Development

Aspects of Security Policy:
How frequently is the policy communicated and what levle of understanding does the workforce have of it

Policy

A

Policy Communication

67

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Information Security Strategy Development

Aspects of Security Policy:
Does the policy address a shift in the manner of working or ways of the workforce achieving working objectives i.e. shift to working from home during the pandemic

Policy

A

Workforce Transformation

67

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Information Security Strategy Development

Aspects of Security Policy:
Does the policy outline prohibited behaviours or define limits

Policy

A

Policy Strictness

67

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Information Security Strategy Development

Aspects of Security Policy:
Does policy specify expectations for adherence or outline the consequences of non compliance

Policy

A

Accountability and Consequences

67

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Information Security Strategy Development

Aspects of Security Policy:
Is it clearly defined what the margin of compliance should be. Does the organisation reflect good practicies and is the organisation meeting most or all of them

Policy

A

Compliance

68

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Information Security Strategy Development

Aspects of Security Policy:
When was the policy last updated, reviewed and approved

Policy

A

Last Management Review

68

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Information Security Strategy Development

Describes the detail, the methods, techniques, technologies, specifications, brands, and configurations to be used throughout the organisation

A

Standards

68

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Information Security Strategy Development

Standards can be highly detailed, which means things are detailed ____ or they can be ____ (less detailed)

A
  1. Configuration item by configuration item
  2. Principle-based

Principle based means engineers can exercise a wide latitude when implementing standards

68

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Information Security Strategy Development

Written typically for personnel who need extra guidance on how to adhere to a policy

A

Guidelines

68

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Information Security Strategy Development

What are the 2 elements of technical debt in regards to consideration of the organisations architecture

Architecture

A
  1. Poor Design
  2. Outdated and unsupported components

Poor Design - poor design causes subequency changes that are less than optimal, degrading the environment further
Outdated and unsupported components - require effort and time to troubleshoot/replace

69

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Information Security Strategy Development

Knowing whether controls are documented or not is not as effective as knowing whether they are what

A

Effective

70

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Information Security Strategy Development

3 things a strategist should look to understand when reviewing controls

A
  1. Owner
  2. Purpose
  3. Scope

70

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Information Security Strategy Development

2 methods for a strategist to execute to understand if controls are actually being implemented

A
  1. Interviews
  2. Observation

70

40
Q

Information Security Strategy Development

What will an inventory of skills help a strategist understand in regards to employees

A

What can they accomplish

If the skills within the organisation do not exist to achieve a strategic objective, the strategy will fail

70

41
Q

Information Security Strategy Development

A means to indicate the state of an infomration security program over time

A

Metrics

Serve as a guide to long term effectiveness of security controls

71

42
Q

Information Security Strategy Development

When implementing and reviewing metrics, what must a strategist understand

A

The Audience

Who were the metrics intended for i.e. internal security operations use only, or executive management, end users etc..

71

43
Q

Information Security Strategy Development

Why is it essential to understand what assets you have

A

You cannot protect what you do not know about

71

44
Q

Information Security Strategy Development

What insight can a strategist obtain from a well documented risk register

A
  1. Risk management program
  2. Risk analysis activities in the organisation

72

45
Q

Information Security Strategy Development

A business record reflecting the history and findings from risk assessments, threat assessments, vulnerability assessments, security incidents, and other activities

A

Risk Register

72

46
Q

Information Security Strategy Development

Ideally, if there is the existence of a cyber risk register, there should be effective communication between the person that owns the cyber risk register and the person that owns what

A

Enterprise Risk Register

Enterprise Risk Management (ERM)

72

47
Q

Information Security Strategy Development

A
48
Q

Information Security Strategy Development

A strategist may perform a vulnerability assessment to better understand the current ____ of the organisations ____

A
  1. Security Posture
  2. Technology Infrastructure

72

49
Q

Information Security Strategy Development

What 2 key things may a strategist decipher from conducting a vulnerability assessment in terms of maturity levels

A
  1. Operational Maturity
  2. Security Maturity
50
Q

Information Security Strategy Development

When a vulnerability assessment identifies consistency in vulnerabilities among similar systems, this may be an indication of what in regards to maturity

A

Greater Operational Maturity

Highlights the likely use of automated patching tools as example since the findings are consistent

73

51
Q

Information Security Strategy Development

When a vulnerability assessment identifies large numbers of vulnerabilities, in particular high or critical, this is an indication of what in regards to maturity

A

Low Security Maturity

An indication the orgnaisation is not placing emphasis on basic security hygiene

52
Q

Information Security Strategy Development

What is it important to understand for a strategist in regards to cyber insurance

A

Why it was purchased

73

53
Q

Information Security Strategy Development

4 key questions to consider in regards to a cyber security policy

A
  1. Ransomware
  2. Third Party Breach
  3. Proactive Support
  4. Incident Reporting and Assistance

  1. What conditions will the policy pay
  2. Losses covered by breach of third parties
  3. What assistance is provided in an incident
  4. Notication periods

74

54
Q

Information Security Strategy Development

What are 3 key factors that contribute to the lack of visibility and control over critical and sensitive data that a strategist needs to try and understand

A
  1. The Cloud
  2. BYOA
  3. BYOD

Bring your own app
Bring your own device
Helps stratgeist understand the current state of security for critical data, and identify elements of a viable strategy to protect it

74

55
Q

Information Security Strategy Development

Used to identify an organisations business processes, interdependencies between processes, resources required for process operation, and the impact on the organisation if any business processes are incapacitated for a given time

A

Business Impact Analysis
(BIA)

75

56
Q

Information Security Strategy Development

What will a Business Impact Analysis (BIA) highlight to a strategist in regards to business processes and underlying resources when developing a disaster recovery plan

A

Criticality

Which processes receive the most attention

75

57
Q

Information Security Strategy Development

What does a security incident log provide

A

History of security incidents

75

58
Q

Information Security Strategy Development

The process of assessing risk on a service provider prior to an organisation electing to use their services

A

Up-front due dilligence

76

59
Q

Information Security Strategy Development

What is a key reason for an organisation to conduct an up-front due dilligence risk assessment of a third party before contracting their services

A

Provides opportunity for organisation to contractually enforce security terms and conditions

76

60
Q

Information Security Strategy Development

The organisation analyses the strategic importance of the service provider in terms of contract value and service critically in context to the organisation

Up-front risk assessemtn of a third party

A

Relationship Risk Assessment

76

61
Q

Information Security Strategy Development

An analysis of a service providers financial health and geopolitical risk

Up-front risk assessemtn of a third party

A

Inherent Risk Assessment

76

62
Q

Information Security Strategy Development

An analysis of controls that an organisation would like a service provider to use

Up-front risk assessemtn of a third party

A

Control Risk Assessment

76

63
Q

Information Security Strategy Development

The practice of assigning a risk “level” to a service provider based on the nature of the service they provide to the organisation and criticality

Up-front risk assessemtn of a third party

A

Risk Tiering

76

64
Q

Information Security Strategy Development

When examining audit results, a security strategist should understand which 4 key things

A
  1. Objective
  2. Scope
  3. Qualification of auditor
  4. Audit methodologies

77

65
Q

Information Security Strategy Development

In order to rdefine a security strategy, in regards to people, what is critical for a strategist to understand about the organisation

A

Culture

78

66
Q

Information Security Strategy Development

4 key areas for a security strategist to understand in regards to an organisations culture

A
  1. Leadership
  2. Accountability
  3. Empowerment
  4. Security Awareness Buy-In

  1. Do management abide by their own rules and policies
  2. Evidence that an organisation enforces policies
  3. Can employees do something and ask for forgiveness, or must they seek permission first
  4. Investigate the organisations security awareness program

78

67
Q

Information Security Strategy Development

After performing a risk and threat assessment and reviewing the state of the security program, the strategic objectives of a security strategy will fall into one of 6 categories

A
  1. Improvements to protective controls
  2. Improvements in incident visibility
  3. Improvements in incident response
  4. Reductions in risk, including compliance risk
  5. Reductions in cost
  6. Increased resiliency of key business systems

79

68
Q

Information Security Strategy Development

A gap assessment should focus on several aspects of a security program. This should include one or more of the following areas

A
  1. Business alignment
  2. Existing/previous strategy
  3. Security program charter
  4. Security Policy
  5. Security Standards
  6. Security Procedures
  7. Security Guidelines
  8. Security Controls
  9. Risk Assessments
  10. Internal and External Audit Results
  11. Security Metrics
  12. Risk Register
  13. Risk treatment decisions
  14. Security incident program
  15. Security incident records
  16. Third party risk
  17. BCP and DR
  18. Security awareness training program
  19. IT and Security projects

82

69
Q

Information Security Strategy Development

A sparse or nonexistent security incident log may be an indication of what 3 key things

A
  1. Lack of visibility
  2. Lack of training and recognition ability
  3. Only watching for “black swan” events, missing routine incidents

82

70
Q

Information Security Strategy Development

A tool used in the support of strategy planning which provides insight into 4 specific areas

A

SWOT Analysis
1. Strenghts
2. Weakness
3. Opportunities
4. Threats

83

71
Q

Information Security Strategy Development

CMMI-DEV

A

Capability Maturity Model Integration for Development

84

72
Q

Information Security Strategy Development

The 5 levels of maturity within the CMMI-DEV model

A
  1. Intial
  2. Repeatable
  3. Defined
  4. Managed
  5. Optimizing

84

73
Q

Information Security Strategy Development

CMMI-DEV model level;
A process that is ad hoc,inconsistent, unmeasured, and unrepeatable

A

Level 1: Initial

84

74
Q

Information Security Strategy Development

CMMI-DEV model level;
A process is performed consistently and with the same outcome. May or may not be documented

A

Level 2: Repeatable

84

75
Q

Information Security Strategy Development

CMMI-DEV model level;
A process that is well defined and well documented

A

Level 3: Defined

84

76
Q

Information Security Strategy Development

CMMI-DEV model level;
A uantitatively measured process with one or more metrics

A

Level 4: Managed

84

77
Q

Information Security Strategy Development

CMMI-DEV model level;
A measured process that is under continuous improvement

A

Level 5: Optimizing

84

78
Q

Information Security Strategy Development

Security policies should be designed to be durable and not tied to specific what

A

Technologies

Significant changes in technology could put policies at odds with the technology

85

79
Q

Information Security Strategy Development

It is common practice to structure an organisations security policy using one or more of the following revelant frameworks

A
  1. NIST SP 800-53
  2. NIST SP 800-171 / NIST SP 800-172
  3. ISO/IEC 27001 / ISO/IEC 27002
  4. COBIT
  5. HIPAA
  6. PCS DSS
  7. CIS CSC

86

80
Q

Information Security Strategy Development

What is the risk associated with not obtaining stakeholder support and buy in when policies are written

A

Deploying policies that cannot be adhered to

86

81
Q

Information Security Strategy Development

Controls are generally changed as a result of what

A

Risk Assessment

86

82
Q

Information Security Strategy Development

An organisation shuld select a control framework that best aligns with what

A

Industry

87

83
Q

Information Security Strategy Development

A policy will define ____
A standard will define ____

A
  1. What is to be done
  2. How policies are carried out

Policy will say you must use strong passwords
A standard will define character length, character usage etc.

87

84
Q

Information Security Strategy Development

Describe the steps to be followed when carrying out functions and tasks

A

Processes and Procedures

88

85
Q

Information Security Strategy Development

What are the 2 key things that a security strategy will obtain when it achieves management committment

A
  1. Funding
  2. Resources

91

86
Q

Information Security Strategy Development

When trying to obtain management committment to a security strategy, the security strategist should avoid using fear, uncertainty, and doubt (FUD). It should instead be presented how

A

Business Terms and Business Opportunities

91

87
Q

Information Security Strategy Development

A tendancy for people within the organisation to think that change is bad

Contraint, obstacle, or other strategy contraints

A

Resistance to Change

92

88
Q

Information Security Strategy Development

A pattern of thinking which people eblieve that because a disaster or breach has never occured, it never will

Contraint, obstacle, or other strategy contraints

A

Normalcy Bias

92

89
Q

Information Security Strategy Development

A collection of values and behaviours that contribute to the uneique social and psychological environment of the organisation

Contraint, obstacle, or other strategy contraints

A

Culture

92

90
Q

Information Security Strategy Development

4 different cultural contraints

Contraint, obstacle, or other strategy contraints

A
  1. Strong Culture
  2. Weak Culture
  3. Culture of Fear
  4. Healthy Culture

  1. Personnel understand and support the organisational goals and objectives and need little encouragement
  2. Culture not well aligned with the organisation
  3. Workers distrust management, who act as tyrants
  4. Workers and management respect each other and have a strong sense of accountability

92

91
Q

Information Security Strategy Development

Understanding “who owns what turf” and establishing the correct relationships to better support the security strategy

Contraint, obstacle, or other strategy contraints

A

Organisational Structure

93

92
Q

Information Security Strategy Development

A security strategy cannot succeed if the requisit skills do not exist to execute it

Contraint, obstacle, or other strategy contraints

A

Staff Capabilities

93

93
Q

Information Security Strategy Development

The need for a security strategist to understand with a degree of precision the hard and soft costs associated with elements of the security strategy

Contraint, obstacle, or other strategy contraints

A

Budget and Cost

93

94
Q

Information Security Strategy Development

Project initiatives within the security strategy are not all delivered within the same time frames and need effective project management and setting of expectations

Contraint, obstacle, or other strategy contraints

A

Time

94

95
Q

Information Security Strategy Development

Items included in a strategy because they are governed by external sources. For example, implementing a WAF to meet PCS DSS compliance

Contraint, obstacle, or other strategy contraints

A

Legal and Regulatory Obligations

94

96
Q

Information Security Strategy Development

Understanding the risk appetite alignment and impact which define to what extent elements of a security strategy could be executed successfully, or even adopted

Contraint, obstacle, or other strategy contraints

A

Acceptable Risk

95

97
Q

Information Security Strategy Development

3 key components which form the body known as “the obstacle of organisational interia”

Things done in the same way until change is exerted, which meets resistance

Contraint, obstacle, or other strategy contraints

A
  1. Operational people performing change
  2. Learning curve
  3. Human resistance to change

  1. Business processes undergoing change must continue operation. Change should be enacted slowly and carefully to avoid operational impact
  2. Significant change requires personnel to learn new systems, processes, and procedures
  3. Human resistance to change