1. Information Security Governance - 24% Flashcards
What is a RACI Chart
Responsible
Accountable
Consultable
Informed
What are the 5 principles of the National Association of Corporate Directors
Principle 1 - cybersecurity is an enterprise-wide issue
Principle 2 - Understand legal implications of cyber risks
Principle 3 - access to cybersecurity expertise
Principle 4 - boards should set expectations that management will establish an enterprise wide cyber risk management framework
Principle 5 - should discuss cyber risk including avoidance, acceptance, mitigation and transfer.
What are different types of metrics used for simple categorization
Key Risk Indicators - metrics associated with risk with measurement of risks
Key Goal Indicators - attainment of strategic goals
Key Performance Indicators - show efficiency and effectiveness of security-related goals
What is ROSI
Return on Security Investment.
What is the acronym SMART in the effective ness of a metric
Specific
Measurable
Attainable
Relevant
Timely
What is BMIS
Developed by ISACA in 2009 the Business Model for Information Security is a guide for business aligned risk-based security governance.
This was derived from the Systemic Security Management Framework developed by USC Marshal School of Business
What is the dominant enterprise architecture standard established in the late 80s
The Zachman Framework
starts with a high functional level and then in increasing details.
What does the Zachman model do not do for IT Systems
It does not convey the relationships between IT System. Data Flow Diagrams are used to depict that.
What is the difference between a leading indicator and trailing indicator
leading indicators are a predictor of the probability of future security incidents. Patch Management Stats, Phishing Sim Results, UEBA, etc.
Trailing indicators are more reactive in nature based on security incidents related to attacks blocked by firewall, viruses stopped, etc.
What are the elements of the business model for information security (BMIS)
Organization, people, process and technology.
The dynamic interconnections (DI’s) are culture, governing architecture, emergence, enabling and support, and human factors.
the Primary Factor to the selection of a control framework is
Industry Vertical - for example a healthcare organization is going to want to utilize HIPAA Security Rules
What is the purpose of a balanced scorecard?
Measure organizational performance and effectiveness against strategic goals.
tool used to quantify the performance of an organization against strategic objectives
A process that is performed consistently but it is not documented is generally considered to be
Repeatable
T or F all processe should reach the maturity level of optimized
False - there are no rules that the maturity levels of different processed need to be the same or at a different level.
What is the primary responsibility of the custodial related to customers
Custodian makes decisions based on customer’s defined interests
Compare CISO, CRO, CSO, and CIRO
CISO is responsible for information assets and not physical assets
Chief Risk Officer is responsible for managing risks for multiple type of assets.
Chief Security Officer is responsible for design, deployment, and operation of protective controls.
Chief Information Risk Officer is responsible for risk management and protection of information assets but not property, plant and equipment.
A completion % metric is most likely associated with what type of Indicator
Key Goal Indicator (KGI)
If two organizations are merging which is the greater risk. Difference in practices or gaps in coverage
Differences in practices.
What is the purpose of value delivery metrics
Long-term reduction in costs
What is a common term for mechanisms that ensure a desired outcome in a selected business process
Control
What are the best explanation for the Implementation Tiers in NIST CSF
CSF states that Implementation Tiers are not strictly maturity levels but are very similar to them.
What are 3 factors that a risk manager may consider when developing an Infosec Strategy
Risk Levels
Operating Costs
Compliance Levels
If an Infosec Policy is considered aspirational what is the consequence and first step
Org does not appear to be in control of its security practice
Meet with legal counsel to develop a plan of action
Roll back controls to reasonable level
An organization is required by PCI to include several policies that are highly technical and not applicable to the majority of its employees. What is the best course of action for implementing these policies?
Have a separate technical security policy containing those required items, with a separate aup for all workers.
If an org lacks security architecture function what is most likely a result and what is the main advantage for larger distributed organizations
Inconsistent application of standards
Greater consistency in the use of tools and configurations
What value does a BIA for a security leader
Provides a view of the criticality of business processes in an organization
What are the levels of Capability Maturity Model
Initial
Repeatable
Defined
Managed
Optimizing
What source would be the best to learn about the current state of cybersecurity program
Risk Assessment
Followed by
Risk Register
What are the elements of a business case
Current state, desired state, success criteria, requirements, constraints, approach and plan
Who would make the decision on cyber-risk treatment decision
Information Security Steering Committee
An installation metric is typically associated with what type of metric
Key Goal Indicator (KGI)
What best describes ISO 27001
Consists primarily of a body of requirements for running a security management program along with an appendix of security controls.
What view does the BIA provide for a security leader in an organization
criticality of BUSINESS Processes
What makes BMIS unique
It takes into consideration the Organization and its culture through D1 interconnections
