1-Information Security Management

Question 1

Information security Management

Answer 1

The collection of policies, processes, and procedures that ensures an organization’s security policy is effective.

Question 2

The key success of a security management program

Answer 2

Ongoing executive support

Question 3

Is information security management a separate activity?

Answer 3

No, Information security management works right-in-gloves with IT governance and risk management.

Question 4

What should be included in an effective information security policy

Answer 4

• Statement of executive support
• Roles & Responsibilities
• Value of information-related assets
• Protection of Information Assets
• Acceptable behavior
• Risk Management
• Support of laws and regulations
• Enforcement and consequences,

Question 5

The element of security awareness

Answer 5

• Signed acknowledgment of security policy
• Security awareness training upon hire
• Annual security awareness training - refresher et updates
• Internal website
• Periodic message
• Posters and Flyers
• Rewards for desired behavior.

Question 6

What is a security incident

Answer 6

An event where the confidentiality, integrity, or availability of information /information system has been or is in danger of being compromised

Question 7

Incident to include in an incident response plan

Answer 7

• Information exposure or theft
• Information system theft
• Information system damage
• Information corruption
• Malware

Question 8

What is advisable to most organizations when it comes to incident response

Answer 8

Organizations are advised to test their incident response plans to make sure that they will be effective when a real security incident occurs.

Question 9

What is the purpose of corrective and preventive actions when it comes to security risk

Answer 9

To reduce risks by opting for corrective and preventives actions.

Question 10

What are part of a culture of continuous improvment

Answer 10

Corrective and preventives actions

Question 11

Role of the Board of Directors to the protection of information and assets

Answer 11

Responsible for directing executive management to provide adequate resources to the protection of information and assets.

Question 12

Role of the Executive Management to the protection of information and assets

Answer 12

Responsible for ratification and support of information security policy and overall responsibility for asset protection.

Question 13

Role of the Security steering committee to the protection of information and assets

Answer 13

A committee of senior-level officials from every department in the organization that is convened for approval of securities policies, discussions of risks-related matters , and allocation of resources to carry out asset protection.

Question 14

Chief Information Officer - CIO

Answer 14

Senior level official who is responsible for the deployment and operation of all information systems, and for the management of all information.

Question 15

Chief Information Security Officer (CISO) or Chief Information Risk Officer (CIRO)

Answer 15

Senior level official who is responsible for operation of the organization’s risk management program, and the development and enforcement of security policy and the protection of information assets

Question 16

Chief Privacy Officer - CPO

Answer 16

The senior-level official who is responsible for the proper handling of personally sensitive information belonging to employees and customers to protect their privacy rights

Question 17

• Security auditors

Answer 17

Responsible for monitoring and testing security controls and delivering written opinions on the effectiveness of those controls

Question 18

Security administrators

Answer 18

Responsible for operating or monitoring specific security controls such as user access controls, firewalls, or intrusion detection systems

Question 19

Security analyst

Answer 19

Responsible for implementing and/or enforcing security policy by designing, improving, and/or monitoring security processes and security controls

Question 20

Systems analysts

Answer 20

Responsible for implementing and/or enforcing security policy by designing application software that includes adequate controls to protect the application as well as the information that it manages and stores

Question 21

Responsible for coding application

Answer 21

Software developers software that includes controls to prevent application misuse or bypass of controls to protect the integrity and confidentiality of information

Question 22

Asset owners

Answer 22

Responsible for protection and integrity of assets, and for approving requests to access the assets they control

Question 23

Audit committee

Answer 23

A subset of the board of directors, responsible for reviewing internal and external audit reports and requiring executive management to respond to any nonconformities.

Question 24

What an effective security management program need to align with

Answer 24

The organization’s mission, strategies, and objectives.

Question 25

Information assets categories

Answer 25

• Information - software, tools and every type of data
• Information system - servers, workstation, mobile device, IT hardware etc.

Both information and information system need to be inventoried, and classified

Question 26

Hardware asset inventory

Answer 26

• Identification
• Value
• Location
• Condition
• Security classification
• Asset group
• Owner
• Custodian

Question 27

What is a hardware asset owner

Answer 27

Person or group responsible for the operation of the asset

Question 28

What to periodically check

Answer 28

Hardware asset since they are movable, they must be physically checked periodically to verify the information and existence of the asset.

Question 29

Information Assets

Answer 29

Intangible information stored in systems should be treated as an asset.

They should also be inventoried periodically.

Question 30

The four levels of information classification

Answer 30

secret, restricted, confidential, and public.