1.3 Evaluate and Apply Security Concepts

Question 1

What is Corporate Governance Based Upon?

Answer 1

The goals and objectives of an organization.

Question 2

What is the Goal of Governance?

Answer 2

Enhance and Organizations value.

Question 3

What are examples of Corporate Governance Activities.

Answer 3

Anything that helps and organization meet their goals and adds value to an organization. | Creating new processes, product, services | Making relationships with 3rd-party clients | Improving margins and cashflows | etc.

Question 4

How Must Security be Managed to Ensure Alignment of Goals?

Answer 4

From top down, starting with the ones driving what security must do to achieve the goals of the organization. | From CISO executives, to management, to employees, etc.

Question 5

What Must Security Governance Align With and What Should Drive its Goals?

Answer 5

Security Governance must align with corporate governance and should be driven by the companies goals and objectives.

Question 6

Rather than Being a Reactive Function, What should Security be?

Answer 6

A Proactive Enabler.

Question 7

What is Required by Senior Management to Ensure Strong Security Governance?

Answer 7

Strong Convictions about the need for security | Can convince them alone, or hire outside consultants to push the needle in securities favor.

Question 8

How can you Sum up Governance in a Few Sentences?

Answer 8

To govern is to lead. Ultimately, governance is elected to increase value for the assets under their jurisdiction. Often, done by a team of people with the ultimate goal of increasing the value– prosperity, sustainability, and viability– of their organizations.

Question 9

Who are the Governing Bodies of an Organization?

Answer 9

Board of Directors, CEO, and Senior Management. | Can include more roles, but always those representing/overseeing a team.

Question 10

What is the Organizations’ Equivalence of Local and Municipal Laws?

Answer 10

Policies.

Question 11

Who is in Charge of Establishing an Organization’s Goals and Objectives that Ultimately set the Tone for Governance?

Answer 11

The Board of Directors.

Question 12

Who is Appointed by the Board of Directors to be Accountable for Corporate Governance?

Answer 12

Chief Executive Office (CEO)

Question 13

What are the Goals of an Organization’s CEO?

Answer 13

Be accountable for all the activities and initiatives that an organization undertakes to achieve its goals and objectives.

Question 14

Who is Responsible for Consistently Communicating a Security Culture to Ensure Effective and Good Security?

Answer 14

From Top Down Structure, Board of Directors, CEO, and Senior Management.

Question 15

Effective Security Governance can be Achieved by Drawing Knowledge and Experience from Where/Who?

Answer 15

Senior Management, Legal, IT, HR, and key functional areas of the organization.

Question 16

What can be Created to Maintain Strong Organizational Governance?

Answer 16

An Organization Governance Committee who meets often to ensure goals between functional departments are aligned.

Question 17

What is Scoping and Tailoring?

Answer 17

Scoping look are potential control elements and determines if they are in scope. Tailoring is refining these scoped elements to they’re most effective for the organization.

Question 18

TRUE or FALSE:
Tailoring is not concerned with the cost-effectiveness of security measures so long as it mitigates exposed risk?

Answer 18

False: Tailoring should be cost-effective relative to what they’re protecting, and ultimately add value to the organization.

Question 19

TRUE or FALSE:
The Board of Directors and Senior Management do not Need to Support Security Functions?

Answer 19

False: Without support from the top of the hierarchy, security can quickly become a reactive nuisance versus a proactive enabler.

Question 20

What are CEO’s, CFO’s, and Data Controllers individually resposnible for?

Answer 20

CEOs is ultimately accountable for organizations goals, CFOs are accountable for accuracy of financial reports, Data Controllers are accountable for privacy.

Question 21

Explain the Difference Between Accountability and Responsibility.

Answer 21

Accountability cannot be delegated and is applicable to one person or group. They make the rules and policies.
Responsibility can be delegated and multiple people can be responsible, though accountability ultimately falls on the delegater. They develop plans and implement controls.

Question 22

If Certain Functions of an Organzation are Managed by a Responsible 3rd party, such as payroll, who is accountable for the assets managed?

Answer 22

Ultimately, the owner of the assets being managed. CEO or group assigned to the assets who delegated the responsibility to the downstream party.

Question 23

If a Cloud Service Provider (CSP) houses customer data your organization owns, who is accountable in the event of data being leaked if a breach of the CSP occurs?

Answer 23

Ultimately, the owner of the data is responsible. This is whoever delegated the responsibility to the CSP.

Question 24

Who is Ultimately Responsible for Every Single Asset and Organization Owns?

Answer 24

Ultimately, the CEO and the Board of Directors, though this is not realistic for larger companies. You cannot delegate the accountability, but in large companies senior management is accountable for the data they manage.

[This is not a delegation of accountability, but rather a means to assign a person the position to ‘own’ that assets they manage, making them accountable. If they are not listed, then the next up in the hierarchy is responsible.]

Question 25

What Accountability does the Security Function Hold?

Answer 25

All Security Governance Activities that have been driven, or initiated by, those who are accountable: the Board, CEO, and other C-Suite executives.

Question 26

What is the Overall Role of Security?

Answer 26

To be an Enabler.

Question 27

Who is the Owner/Controller of an Asset?

Answer 27

Whoever created, bought, or is most familiar with an asset.

Question 28

What are Owners, Controllers, Functional Leaders, and Senior Management Accountable For?

Answer 28

Ensuring appropriate security controls consistent with the organization’s security policy are implemented to protect the organization’s assets. | Determine appropriate sensitivity or classification levels | Determine access privileges

Question 29

What are Information System Security Professionals and IT Security Officers responsible for?

Answer 29

Designing, Implementing, managing, and reviewing organization’s security policies, standards, baselines, procedures, and guidelines.

Question 30

What are Information Technology Officers responsible for?

Answer 30

Developing and implementing technology solutions. | Working closely with IS and IT security professionals and officers to evaluate security strategies | Working closely with the Business Continuity Team (BCM) to ensure continuity of operations should disruption occur.

Question 31

What is the IT Function Responsible for?

Answer 31

Implementing and Adhering to security policies.

Question 32

What are Operator’s and Administrators responsible for?

Answer 32

Managing, Troubleshooting, and applying hardware and software patches to systems as necessary. | Managing user permissions, per the owner’s specifications | Administering and managing specific applications and services.

Question 33

What are Network Administrators responsible for?

Answer 33

Maintaining computer networks and resolving issues with them. | Installing and configuring network equipment and systems and resolving problems.

Question 34

What are Information System Auditors responsible for?

Answer 34

Providing management with independent assurance that the security objectives are appropriate. | Determining whether security policies, standards, baselines, procedures, and a guidelines are appropriate and effective to comply with the Organization’s objectives | Determining whether objectives have been met.

Question 35

What are Users responsible for?

Answer 35

Adherence to security policies and preserving the availability, integrity, and confidentiality of assets when accessing and using them.

Question 36

What is a Data Custodian Responsible for?

Answer 36

Ensuring the assets entrusted to them are protected and accessible when needed, as well as ensuring data is not divulged while in their care.

Question 37

How do Data Owners and Data Custodians differ?

Answer 37

Data Owners ultimately own the assets belonging to them. Data Custodians are granted ‘custody’ of the assets are responsible for their protection while it is in their care.

Question 38

In the event of a data breach, who is ultimately responsible for accountable for the data if handled by a data custodian?

Answer 38

Ultimately, the responsibility falls on the Data Custodian. However, the accountability belongs to the asset owner. This is because the asset owner entrusted the data with the data custodian, and must work with the security function to provide the resources to properly protect the data.

Question 39

Who provides the tools to protect data passed to the data custodian?

Answer 39

The Security Function will provide these tools. The asset owner is accountable for ensuring this.

Question 40

Who Specifically is Responsible for Ensuring Security?

Answer 40

EVERYONE!!! | Security follows the top-down structure for a reason. It start with the Board and CEO, then trickles down to each individual user. Top-level responsibilities include creating policies and rules to ensure security, while it is all users’ roles to follow these policies.

Question 41

How does Due Care and Due Diligence differ?

Answer 41

Due Care is the actions taken to ensure that assets are assessed and protected. Due Diligence is the ability to prove Due Care was established in a cost-effective way.

Question 42

When Applying Asset Controls, What Requirements MUST be Met?

Answer 42

At a minimum, Compliance Requirements must be met to ensure the organization meets minimum standards for protecting sensitive assets.

Question 43

What Four Compliance Requirements must and Organization Follow?

Answer 43

Laws, Regulations, Industry standards and Policies.

Question 44

What are Compliance Laws?

Answer 44

Laws that must be followed based on the assets owned or managed, or the industry, jurisdiction, or country in which the organization resides. | Examples include HIPPA, GLBA, COPPA, FISMA, DMCA, and GDPR.

Question 45

What are Compliance Regulations?

Answer 45

Specific regulations that an organization must comply with that are based on assets owned or managed, of the industry, jurisdiction, or country the organization operates. |Examples include International Traffic and Arms Regulations (ITAR) and Encryption Export Controls.

Question 46

What are Industry Standards?

Answer 46

Industry specific procedural and technical rules that help guide activities of an organization.

Question 47

What three functions must work together to ensure compliance? Who does these functions support?

Answer 47

Legal, Privacy, and Audit/Compliance. These will ultimately provide the drive and initiative for security when implementing security controls.

Question 48

How does Legal and Privacy help Security?

Answer 48

They help understand what is required from a compliance perspective?

Question 49

How does Audit/Compliance help Security?

Answer 49

They monitor active compliance, so the security function will advice and enforce security controls.