02. Information Governance Frameworks and Standards

Question 1

Information Governance Frameworks and Standards

This framework involves activities to ensure that executives are in control of the organisation and that they are adequately informed

Answer 1

Governance Framework

96

Question 2

Information Governance Frameworks and Standards

Involves IT, security, and priviacy controls, the detailed statements describing desired outcomes that are examined for proper design and effectiveness

Answer 2

Control Framework

96

Question 3

Information Governance Frameworks and Standards

5 key security governance frameworks used today and referred to in the CISM frequently

Answer 3

1. Business Model for Information Security (BMIS)
2. Zachmand Framework
3. The Open Group Architecture Framework (TOGAF)
4. ISO/IEC 27001
5. NIST Risk Management Framework

96

Question 4

Information Governance Frameworks and Standards

Developed by ISACA in 2009, this model is a guide for business-aligned, risk -based security governance

Answer 4

Business Model for Information Security

BMIS Model

96

Question 5

Information Governance Frameworks and Standards

What are the 4 elements of the Business Model for Information Security (BMIS)

BMIS

Answer 5

1. People
2. Organisation
3. Technology
4. Process

BMIS Model

Processes are connected by Dynamic Interconnections (DIs)

97

Question 6

Information Governance Frameworks and Standards

Which element inclusion into the model makes BMIS unique

BMIS

Answer 6

Organisation

97

Question 7

Information Governance Frameworks and Standards

Which element in the BMIS model represents the formal structure of all defined activities in the organisation

BMIS

Answer 7

Process

Processes should have a clear business reason for existing, accountable owners, clear roles and responsibilities defined, and means to measure performance

98

Question 8

Information Governance Frameworks and Standards

Which element in the BMIS model represents systems, applications, tools used

BMIS

Answer 8

Technology

98

Question 9

Information Governance Frameworks and Standards

What are the 6 dynamic ocnnections between the 4 elements of the BMIS model

BMIS

Answer 9

1. Process < Governing > Organisation
2. Process < Emergence > People
3. Process < Enabling & Support > Technology
4. People < Culture > Organisation
5. Organisation < Architecture > Technology
6. Technology < Human Factors > People

BMIS Model

98

Question 10

Information Governance Frameworks and Standards

Which DI element is defined as a pattern of behaviours, beliefs, assumptions, attitudes, and ways of doing things and links “people” and “organisation”

BMIS

Answer 10

Culture

BMIS Model

98

Question 11

Information Governance Frameworks and Standards

It is not feasible to define a single culture in an organisation which has what

BMIS

Answer 11

Regional or Global Locations

98

Question 12

Information Governance Frameworks and Standards

Steps to create a favorable security culture include the following:

BMIS

Answer 12

• Involve personnel in discussions about the protection of critical assets.
• Executive leadership must lead by example and follow all policies.
• Include security responsibilities in all job descriptions.
• Include security factors in employees’ compensation- for example, merit increases and bonuses.
• Link the protection of critical assets to the long-term success of the organization.
• Integrate messages related to the protection of assets, and other aspects of the information security program, intoexisting communications such as newsletters.
• Incorporate “secure by design” into key business pro- cesses so that security is part of the organization’s routine activities.
• Reward and recognize desired behavior; similarly, admonish undesired behavior privately.

99

Question 13

Information Governance Frameworks and Standards

Which DI element is defined as a set of responsibilities and practices exercised by the board and executive management and links “organisation” and “process”

BMIS

Answer 13

Governing

BMIS Model

99

Question 14

Information Governance Frameworks and Standards

Which DI element signifiies the need for the use of technology to be planned, orderly, and purposful, and links “organisation” and “technology”

BMIS

Answer 14

Architecture

BMIS Model

100

Question 15

Information Governance Frameworks and Standards

8 key elements that good practice of architecture will ensure

BMIS

Answer 15

1. Alignment
2. Consistency
3. Efficiency
4. Low Cost
5. Resilience
6. Flexibility
7. Scalability
8. Security

1. Support the organisations mission and objectives
2. Similar or identical practices employed throughout the IT environment
3. Environment can be built and operated efficiently
4. Costs can be recued through ecomony of scale and less waste
5. Greater resilience within design models
6. Ability to accomodate changing business needs and external factors
7. Architectures are not so rigid they cannot be made larger or smaller to accomodate business needs
8. Encompasses the principle of secure by design

100

Question 16

Information Governance Frameworks and Standards

Which DI element exists to bring focus to the way people perform their work and links “people” and “process”

BMIS

Answer 16

Emergence

BMIS Model

100

Question 17

Information Governance Frameworks and Standards

Methods by which an organisation can reduce work output deviation caused by emergence

BMIS

Answer 17

1. Increase automation
2. Enact controls
3. Increase process maturity

101

Question 18

Information Governance Frameworks and Standards

Which DI element exists to enable and support business processes by technology and links “technology” and “process”

BMIS

Answer 18

Enabling and Support

BMIS Model

101

Question 19

Information Governance Frameworks and Standards

Which DI element represents the interaction between people and infromation systems and links “technology” and “people”

BMIS

Answer 19

Human Factors

BMIS Model

101

Question 20

Information Governance Frameworks and Standards

8 key considerations that need to be included in the design of information systems (both hardware and software)

BMIS

Answer 20

1. Consistency
2. Typing and data entry
3. Display and Readability
4. Error Recovery
5. Sound
6. Voice and Biometric Recognition
7. Ergonomics
8. Environment

1. System should resemble other commonly used systems i.e. keyboard arrangement, user interface
2. Text entry should be straight forward
3. Users shoudl be able to read and see images clearly
4. users should be able to repeat a step when they have made an error
5. Sound should be adjustable, or systems not emmitt large amounts of sound such as cooling fans
6. Technologies use advanced recongition technologies and be easy to use
7. Devices should be easy to use without causing strain or stress
8. Designed to operate in environments in which they will be used

102

Question 21

Information Governance Frameworks and Standards

The success of the BMIS model is based on the fact it considers things no necessarily in detail but rather more what

BMIS

Answer 21

Holistically

102

Question 22

Information Governance Frameworks and Standards

Established in the late 1980’s and continues to be the dominant enterprise architecture standard today

Answer 22

Zachman Framework

Zachman Framework

104

Question 23

Information Governance Frameworks and Standards

The Zachman Framework shows IT systems in what manner

Zachman Framework

Answer 23

Increasing Levels of Detail

Zachman Framework

104

Question 24

Information Governance Frameworks and Standards

A model that defines or depicts data flows in increasing levels of detail and help non technical executives understand the various IT applications and relationships

Answer 24

Data Flow Diagram

Data Flow Diagram

105

Question 25

Information Governance Frameworks and Standards

A life cycle framework used for designing, planning, implementing and governing an enterprise technology architecture

Answer 25

The Open Group Architecture Framework
(TOGAF)

TOGAF

105

Question 26

Information Governance Frameworks and Standards

The 10 phases used in TOGAF

TOGAF

Answer 26

1. Preliminary
2. Architecture Vision
3. Business Architecture
4. Information Systems Architecture
5. Technology Architecture
6. Opportunities and Solutions
7. Migration Planning
8. Implementation Governance
9. Architecture Change Management
10. Requirements Management

TOGAF

105

Question 27

Information Governance Frameworks and Standards

An international standard for information security and risk management divided into two sections “requirements” and “controls”, which contains a requirements section outlining a properly functioning information security management system (ISMS)

Answer 27

ISO/IEC 27001

106

Question 28

Information Governance Frameworks and Standards

The requirements in ISO/IEC 27001 are described in 7 sections

ISO/IEC 27001

Answer 28

1. Context of the organisation
2. Leadership
3. Planning
4. Support
5. Operation
6. Performance Evluation
7. Improvement

106

Question 29

Information Governance Frameworks and Standards

A framework that is essentially a catalog of cybersecurity activities, is a requirement of implementation within the US government but is used as a voluntary guidance for private, commercial, and other organisations

Answer 29

NIST Cybersecurity Framework
(NIST CSF)

107

Question 30

Information Governance Frameworks and Standards

5 core activities/functions of the NIST CSF

NIST CSF

Answer 30

1. Identify
2. Protect
3. Detect
4. Respond
5. Recover

108

Question 31

Information Governance Frameworks and Standards

4 tiers used within the NIST CSF intended to describe an organisations cybersecurity program capabilities in support of an organisations goals and objectives

NIST CSF

Answer 31

1. Partial
2. Risk Informed
3. Repeatable
4. Adaptive

108

Question 32

Information Governance Frameworks and Standards

NIST CSF Tier;
Cybersecurity programs may not be formalised and risks are managed in an ad hoc or reactive manner

Answer 32

Partial

108

Question 33

Information Governance Frameworks and Standards

NIST CSF Tier;
Cybersecurity program activities are approved by management and linked to organisational risk concerns and business objectives but considerations in business programs will not be consistent at all levels of the organisation

NIST CSF

Answer 33

Risk Informed

108

Question 34

Information Governance Frameworks and Standards

NIST CSF Tier;
Cybersecurity program activities are formally approved and supported by policy. Cybersecurity program capabilities are regularly reviewed and updated based on risk managemen processes and changes to business objectives

NIST CSF

Answer 34

Repeatable

109

Question 35

Information Governance Frameworks and Standards

NIST CSF Tier;
A consistent organisation wide approach to managing cybersecurity risk through formal policies, standards and procedures. Program capabilities are routinely updated based on current and previously events

NIST CSF

Answer 35

Adaptive

109

Question 36

Information Governance Frameworks and Standards

A framework for information systems and organisations that provides a means for executives and organisation owners to manage the organisations information security program properly containing 7 steps to ensure the organisation can successfully excecute their program

Answer 36

NIST Risk Management Framework
(NIST SP 800-37)

NIST RMF

109

Question 37

Information Governance Frameworks and Standards

7 steps of the NIST RMF (800-37) that ensure an organisation can successfully execute their risk management program

NIST RMF

Answer 37

1. Prepare
2. Categorise
3. Select
4. Implement
5. Assess
6. Authorize
7. Monitor

NIST RMF

109