02. Information Governance Frameworks and Standards Flashcards
Information Governance Frameworks and Standards
This framework involves activities to ensure that executives are in control of the organisation and that they are adequately informed
Governance Framework
96
Information Governance Frameworks and Standards
Involves IT, security, and priviacy controls, the detailed statements describing desired outcomes that are examined for proper design and effectiveness
Control Framework
96
Information Governance Frameworks and Standards
5 key security governance frameworks used today and referred to in the CISM frequently
- Business Model for Information Security (BMIS)
- Zachmand Framework
- The Open Group Architecture Framework (TOGAF)
- ISO/IEC 27001
- NIST Risk Management Framework
96
Information Governance Frameworks and Standards
Developed by ISACA in 2009, this model is a guide for business-aligned, risk -based security governance
Business Model for Information Security
96
Information Governance Frameworks and Standards
What are the 4 elements of the Business Model for Information Security (BMIS)
BMIS
- People
- Organisation
- Technology
- Process
Information Governance Frameworks and Standards
Which element inclusion into the model makes BMIS unique
BMIS
Organisation
97
Information Governance Frameworks and Standards
Which element in the BMIS model represents the formal structure of all defined activities in the organisation
BMIS
Process
Processes should have a clear business reason for existing, accountable owners, clear roles and responsibilities defined, and means to measure performance
98
Information Governance Frameworks and Standards
Which element in the BMIS model represents systems, applications, tools used
BMIS
Technology
98
Information Governance Frameworks and Standards
What are the 6 dynamic ocnnections between the 4 elements of the BMIS model
BMIS
- Process < Governing > Organisation
- Process < Emergence > People
- Process < Enabling & Support > Technology
- People < Culture > Organisation
- Organisation < Architecture > Technology
- Technology < Human Factors > People
98
Information Governance Frameworks and Standards
Which DI element is defined as a pattern of behaviours, beliefs, assumptions, attitudes, and ways of doing things and links “people” and “organisation”
BMIS
Culture
98
Information Governance Frameworks and Standards
It is not feasible to define a single culture in an organisation which has what
BMIS
Regional or Global Locations
98
Information Governance Frameworks and Standards
Steps to create a favorable security culture include the following:
BMIS
- Involve personnel in discussions about the protection of critical assets.
- Executive leadership must lead by example and follow all policies.
- Include security responsibilities in all job descriptions.
- Include security factors in employees’ compensation- for example, merit increases and bonuses.
- Link the protection of critical assets to the long-term success of the organization.
- Integrate messages related to the protection of assets, and other aspects of the information security program, intoexisting communications such as newsletters.
- Incorporate “secure by design” into key business pro- cesses so that security is part of the organization’s routine activities.
- Reward and recognize desired behavior; similarly, admonish undesired behavior privately.
99
Information Governance Frameworks and Standards
Which DI element is defined as a set of responsibilities and practices exercised by the board and executive management and links “organisation” and “process”
BMIS
Governing
99
Information Governance Frameworks and Standards
Which DI element signifiies the need for the use of technology to be planned, orderly, and purposful, and links “organisation” and “technology”
BMIS
Architecture
100
Information Governance Frameworks and Standards
8 key elements that good practice of architecture will ensure
BMIS
- Alignment
- Consistency
- Efficiency
- Low Cost
- Resilience
- Flexibility
- Scalability
- Security
- Support the organisations mission and objectives
- Similar or identical practices employed throughout the IT environment
- Environment can be built and operated efficiently
- Costs can be recued through ecomony of scale and less waste
- Greater resilience within design models
- Ability to accomodate changing business needs and external factors
- Architectures are not so rigid they cannot be made larger or smaller to accomodate business needs
- Encompasses the principle of secure by design
100
Information Governance Frameworks and Standards
Which DI element exists to bring focus to the way people perform their work and links “people” and “process”
BMIS
Emergence
100
Information Governance Frameworks and Standards
Methods by which an organisation can reduce work output deviation caused by emergence
BMIS
- Increase automation
- Enact controls
- Increase process maturity
101
Information Governance Frameworks and Standards
Which DI element exists to enable and support business processes by technology and links “technology” and “process”
BMIS
Enabling and Support
101
Information Governance Frameworks and Standards
Which DI element represents the interaction between people and infromation systems and links “technology” and “people”
BMIS
Human Factors
101
Information Governance Frameworks and Standards
8 key considerations that need to be included in the design of information systems (both hardware and software)
BMIS
- Consistency
- Typing and data entry
- Display and Readability
- Error Recovery
- Sound
- Voice and Biometric Recognition
- Ergonomics
- Environment
- System should resemble other commonly used systems i.e. keyboard arrangement, user interface
- Text entry should be straight forward
- Users shoudl be able to read and see images clearly
- users should be able to repeat a step when they have made an error
- Sound should be adjustable, or systems not emmitt large amounts of sound such as cooling fans
- Technologies use advanced recongition technologies and be easy to use
- Devices should be easy to use without causing strain or stress
- Designed to operate in environments in which they will be used
102
Information Governance Frameworks and Standards
The success of the BMIS model is based on the fact it considers things no necessarily in detail but rather more what
BMIS
Holistically
102
Information Governance Frameworks and Standards
Established in the late 1980’s and continues to be the dominant enterprise architecture standard today
Zachman Framework
Information Governance Frameworks and Standards
The Zachman Framework shows IT systems in what manner
Zachman Framework
Increasing Levels of Detail
Information Governance Frameworks and Standards
A model that defines or depicts data flows in increasing levels of detail and help non technical executives understand the various IT applications and relationships
Data Flow Diagram
Information Governance Frameworks and Standards
A life cycle framework used for designing, planning, implementing and governing an enterprise technology architecture
The Open Group Architecture Framework
(TOGAF)
105
Information Governance Frameworks and Standards
The 10 phases used in TOGAF
TOGAF
- Preliminary
- Architecture Vision
- Business Architecture
- Information Systems Architecture
- Technology Architecture
- Opportunities and Solutions
- Migration Planning
- Implementation Governance
- Architecture Change Management
- Requirements Management
105
Information Governance Frameworks and Standards
An international standard for information security and risk management divided into two sections “requirements” and “controls”, which contains a requirements section outlining a properly functioning information security management system (ISMS)
ISO/IEC 27001
106
Information Governance Frameworks and Standards
The requirements in ISO/IEC 27001 are described in 7 sections
ISO/IEC 27001
- Context of the organisation
- Leadership
- Planning
- Support
- Operation
- Performance Evluation
- Improvement
106
Information Governance Frameworks and Standards
A framework that is essentially a catalog of cybersecurity activities, is a requirement of implementation within the US government but is used as a voluntary guidance for private, commercial, and other organisations
NIST Cybersecurity Framework
(NIST CSF)
107
Information Governance Frameworks and Standards
5 core activities/functions of the NIST CSF
NIST CSF
- Identify
- Protect
- Detect
- Respond
- Recover
108
Information Governance Frameworks and Standards
4 tiers used within the NIST CSF intended to describe an organisations cybersecurity program capabilities in support of an organisations goals and objectives
NIST CSF
- Partial
- Risk Informed
- Repeatable
- Adaptive
108
Information Governance Frameworks and Standards
NIST CSF Tier;
Cybersecurity programs may not be formalised and risks are managed in an ad hoc or reactive manner
Partial
108
Information Governance Frameworks and Standards
NIST CSF Tier;
Cybersecurity program activities are approved by management and linked to organisational risk concerns and business objectives but considerations in business programs will not be consistent at all levels of the organisation
NIST CSF
Risk Informed
108
Information Governance Frameworks and Standards
NIST CSF Tier;
Cybersecurity program activities are formally approved and supported by policy. Cybersecurity program capabilities are regularly reviewed and updated based on risk managemen processes and changes to business objectives
NIST CSF
Repeatable
109
Information Governance Frameworks and Standards
NIST CSF Tier;
A consistent organisation wide approach to managing cybersecurity risk through formal policies, standards and procedures. Program capabilities are routinely updated based on current and previously events
NIST CSF
Adaptive
109
Information Governance Frameworks and Standards
A framework for information systems and organisations that provides a means for executives and organisation owners to manage the organisations information security program properly containing 7 steps to ensure the organisation can successfully excecute their program
NIST Risk Management Framework
(NIST SP 800-37)
109
Information Governance Frameworks and Standards
7 steps of the NIST RMF (800-37) that ensure an organisation can successfully execute their risk management program
NIST RMF
- Prepare
- Categorise
- Select
- Implement
- Assess
- Authorize
- Monitor
109