1-Information Security Management Flashcards
Information security Management
The collection of policies, processes, and procedures that ensures an organization’s security policy is effective.
The key success of a security management program
Ongoing executive support
Is information security management a separate activity?
No, Information security management works right-in-gloves with IT governance and risk management.
What should be included in an effective information security policy
- Statement of executive support
- Roles & Responsibilities
- Value of information-related assets
- Protection of Information Assets
- Acceptable behavior
- Risk Management
- Support of laws and regulations
- Enforcement and consequences,
The element of security awareness
- Signed acknowledgment of security policy
- Security awareness training upon hire
- Annual security awareness training - refresher et updates
- Internal website
- Periodic message
- Posters and Flyers
- Rewards for desired behavior.
What is a security incident
An event where the confidentiality, integrity, or availability of information /information system has been or is in danger of being compromised
Incident to include in an incident response plan
- Information exposure or theft
- Information system theft
- Information system damage
- Information corruption
- Malware
What is advisable to most organizations when it comes to incident response
Organizations are advised to test their incident response plans to make sure that they will be effective when a real security incident occurs.
What is the purpose of corrective and preventive actions when it comes to security risk
To reduce risks by opting for corrective and preventives actions.
What are part of a culture of continuous improvment
Corrective and preventives actions
Role of the Board of Directors to the protection of information and assets
Responsible for directing executive management to provide adequate resources to the protection of information and assets.
Role of the Executive Management to the protection of information and assets
Responsible for ratification and support of information security policy and overall responsibility for asset protection.
Role of the Security steering committee to the protection of information and assets
A committee of senior-level officials from every department in the organization that is convened for approval of securities policies, discussions of risks-related matters , and allocation of resources to carry out asset protection.
Chief Information Officer - CIO
Senior level official who is responsible for the deployment and operation of all information systems, and for the management of all information.
Chief Information Security Officer (CISO) or Chief Information Risk Officer (CIRO)
Senior level official who is responsible for operation of the organization’s risk management program, and the development and enforcement of security policy and the protection of information assets
Chief Privacy Officer - CPO
The senior-level official who is responsible for the proper handling of personally sensitive information belonging to employees and customers to protect their privacy rights
• Security auditors
Responsible for monitoring and testing security controls and delivering written opinions on the effectiveness of those controls
Security administrators
Responsible for operating or monitoring specific security controls such as user access controls, firewalls, or intrusion detection systems
Security analyst
Responsible for implementing and/or enforcing security policy by designing, improving, and/or monitoring security processes and security controls
Systems analysts
Responsible for implementing and/or enforcing security policy by designing application software that includes adequate controls to protect the application as well as the information that it manages and stores
Responsible for coding application
Software developers software that includes controls to prevent application misuse or bypass of controls to protect the integrity and confidentiality of information
Asset owners
Responsible for protection and integrity of assets, and for approving requests to access the assets they control
Audit committee
A subset of the board of directors, responsible for reviewing internal and external audit reports and requiring executive management to respond to any nonconformities.
What an effective security management program need to align with
The organization’s mission, strategies, and objectives.
Information assets categories
- Information - software, tools and every type of data
- Information system - servers, workstation, mobile device, IT hardware etc.
Both information and information system need to be inventoried, and classified
Hardware asset inventory
- Identification
- Value
- Location
- Condition
- Security classification
- Asset group
- Owner
- Custodian
What is a hardware asset owner
Person or group responsible for the operation of the asset
What to periodically check
Hardware asset since they are movable, they must be physically checked periodically to verify the information and existence of the asset.
Information Assets
Intangible information stored in systems should be treated as an asset.
They should also be inventoried periodically.
The four levels of information classification
secret, restricted, confidential, and public.
