04. Organisational Structure, Roles, Responsibilities Flashcards
Organisational Structure, Roles, Responsibilities
The way the organisation is structured will help drive how it deals with what - this being due to departments and other hierarchial structures being established to take care of specific functions that contribute towards business goals and objectives
Cybersecurity
41
Organisational Structure, Roles, Responsibilities
Each unit at each level of the business hierarchy should be aware of and what for its impact on information protection and cybersecurity
Responsible
42
Organisational Structure, Roles, Responsibilities
What does a ROLE describe of an employee
Expected activities obligated to perform as part of their employment
42
Organisational Structure, Roles, Responsibilities
A job title or position title are typically associated with what
Role
42
Organisational Structure, Roles, Responsibilities
A RESPONSIBILITY is a statement of what
Activities that a person is expected to perform
43
Organisational Structure, Roles, Responsibilities
An organisation assigns roles and responsibilities to individuals and groups to meet the organisations what 2 things in relation to security
Strategy and Objectives
43
Organisational Structure, Roles, Responsibilities
What is the purpose of the development of a RACI
Help personnel determine roles for various business activities
43
Organisational Structure, Roles, Responsibilities
What 3 things specifically should be considered when assigning roles to individuals and groups in a RACI chart
- Skills
- Segregation of duties
- Conflict of interest
45
Organisational Structure, Roles, Responsibilities
Activities performed by the baord of directors, as well as directors authority are usually defined by what 3 things
- Constitution
- Bylaws
- External Regulation
45
Organisational Structure, Roles, Responsibilities
Board members have fiduciary duty, which means what
A fiduciary is a person who holds a legal or ethical relationship of trust with one or more other parties
45
Organisational Structure, Roles, Responsibilities
In the U.S., public companies are required to form an audit committee based on what act
Sar-Banes-Oxley Act
45
Organisational Structure, Roles, Responsibilities
The Board of Directors expect the CEO and other executives to implement a corporate governance function to ensure who has an appropriate level of visibility and control over the organisations operations
Executive Management
46
Organisational Structure, Roles, Responsibilities
Who is accountable to the board of directors to demonstrate that they have effectively carried out the boards strategies
Executives
46
Organisational Structure, Roles, Responsibilities
Information security management includes ensuring that sufficient organisational resources are devoted to implementing a security program and devloping and maintaining security controls to protect critical assets. Who is responsible for this
Executive Management
CIO - Chief Information Officer
CTO - Chief Technical Officer
CISO - Cheif Information Security Officer
47
Organisational Structure, Roles, Responsibilities
To ensure the success of the organisations information security program, executive management should be involved in which 3 key areas
- Ratify corporate security policy
- Leadship by example
- Assume Ultimate Responsibility
47
Organisational Structure, Roles, Responsibilities
A security steering committee should consist of, if possible, stakeholders from which 4 things
- Business units
- Departments
- Functions
- Principle Locations
47
Organisational Structure, Roles, Responsibilities
Risk treatment deliberations and recommendations are typically the responsibility of who
Steering Committee
47
Organisational Structure, Roles, Responsibilities
Discussion and coordination of IT and security projects is typically the responsibility of who
Steering Committee
47
Organisational Structure, Roles, Responsibilities
Reviewing of recent risk assessments is typically the responsibility of who
Steering Committee
Organisational Structure, Roles, Responsibilities
Discussion of new laws, regulations, and requirements is typically the responsibility of who
Steering Committee
48
Organisational Structure, Roles, Responsibilities
Review of recent security incidents is typically the responsibility of who
Steering Committee
48
Organisational Structure, Roles, Responsibilities
Deciding on whether individuals or groups should be given access to or have access revoked to an asset and the level and type of access is the responsibility of who
Business Process or Asset Owner
48
Organisational Structure, Roles, Responsibilities
Periodic reviews of access lists and determining if people/groups should have continued access to an asset is the responsibility of who
Business Process or Asset Owner
48
Organisational Structure, Roles, Responsibilities
Determining the proper fucntion and support of applications and business processes, and determining the asset configuration required, is the responsibility of who
Business Process or Asset Owner
48
Organisational Structure, Roles, Responsibilities
Who determines what functions will be available, and how they work, in relation to business applications
Business Process or Asset Owner
48
Organisational Structure, Roles, Responsibilities
Who determines the physical location of an asset
Business Process or Asset Owner
49
Organisational Structure, Roles, Responsibilities
A CISO will develop business-aligned security strategies that support current and future business initiatives and will be responsible for…
- Developing and operating organisations information risk program
- Developing and implementing security policies
- Developing and implementing security incident response
- Developing operational security functions
49
Organisational Structure, Roles, Responsibilities
The CISO typically reports to one of which two people
- COO - Chief Operations Officer
- CEO - Chief Executive Officer
May report to CIO in some organisations
49
Organisational Structure, Roles, Responsibilities
This role has the responsibility of work place security
Chief Security Officer
(CSO)
49
Organisational Structure, Roles, Responsibilities
This position is principly concerned with all aspects of risk and is seperate from IT
Chief Risk Officer
(CRO)
Organisational Structure, Roles, Responsibilities
What view do C-Level executives possibly have in an origanisation where they have not implemented the role of a CISO
Security will hinder business development and agility
50
Organisational Structure, Roles, Responsibilities
For what reason may a small-medium business may not have a fully time CISO
Not cost-effective
50
Organisational Structure, Roles, Responsibilities
A glance at the totle of the highest ranking information security position in an orgnisation reveals the exec managements opinion of information security. Which role would be leading information security;
“Information security is tactical and often viewed as consisting only of antivirus software and firewalls. This role has no visibility into the development of business objectivies. EXecs consider security as unimportant and based on technology only.”
Security Manager
50
Organisational Structure, Roles, Responsibilities
A glance at the totle of the highest ranking information security position in an orgnisation reveals the exec managements opinion of information security. Which role would be leading information security;
“information security is essnetial and has moderate decision making capability but little influence on the business. This role may have little visibility of overall business strategies and little or no access to executive management or board of directors”
Security Director
50
Organisational Structure, Roles, Responsibilities
A glance at the totle of the highest ranking information security position in an orgnisation reveals the exec managements opinion of information security. Which role would be leading information security;
“Information security is strategic but does not inflience business strategy and objectives. This role will have access to executive management and possibly the board of directors”
Vice President
50
Organisational Structure, Roles, Responsibilities
A glance at the totle of the highest ranking information security position in an orgnisation reveals the exec managements opinion of information security. Which role would be leading information security;
“Information security is strategic, and business objectives are developed with full consideration for risk”
CISO/CIRO/CRO/CSO/vCISO
50
Organisational Structure, Roles, Responsibilities
A role typically involved in the safeguarding of PII and ensuring the origanisation does not misuse PII
Chief Privacy Officer (CPO)
aka
Data Protection Officer (DPO)
51
Organisational Structure, Roles, Responsibilities
A role that includes oversight over policy and organisation functions that come into scope for regulations and standards
Chief Compliance Officer
(CCO)
51
Organisational Structure, Roles, Responsibilities
This role is responsible for performing risk assessments and maintaining the risk register
Risk Manager
54
Organisational Structure, Roles, Responsibilities
This role works closely with the risk manager and is responsible for maintaining security and privacy policy documents and related information
Policy Manager
54
Organisational Structure, Roles, Responsibilities
This role is responsible for maintaining security controls, advising control owners on responsibilities and expectations, and assessing controls for effectiveness
Controls Manager
54
Organisational Structure, Roles, Responsibilities
THis role is responsible for data classification policy and serves as a governance function to manage the organisations use of information
Information Governance
54
Organisational Structure, Roles, Responsibilities
4 core roles in the business resilience function responsible for various activities that ensure the organisation can continue operations despite disruptive events
- Crisis Communications Officer
- Crisis Manager
- Business Continuity Planner
- Disaster Recover Planner
54
Organisational Structure, Roles, Responsibilities
Roles within the security operations function are responsible for designing, building and monitoring security systems and controls to ensure information systems maintain what 3 things
- Confidentiality
- Integrity
- Availability
CIA
54
Organisational Structure, Roles, Responsibilities
2 core roles within the Security Audit function responsible for examining process design and verifying the effectiveness of security controls
- Security Audit Manager
- Security Auditor
54
Organisational Structure, Roles, Responsibilities
2 core roles within the Quality Assurance function responsible for examining process design and verifying the effectiveness of security controls
- QA manager
- QC Manager
Quality Assurance
Quality Control
56
Organisational Structure, Roles, Responsibilities
Controls and internal audit
An intenral audit of controls provides an objective analysis of what
control effectiveness
57
Organisational Structure, Roles, Responsibilities
Metrics and Reporting
Developing metrics for repeated activities helps management better understand what
Work output
57
Organisational Structure, Roles, Responsibilities
Work measurement
A structured activity used to measure repeated tasks carefully helps management better understand what
volume of work performed
57
