16 Security Governance Flashcards
What do security governance practices ensure?
Organizations achieve their strategic objectives
Security governance practices are essential for aligning security efforts with business goals.
What are governance programs?
Sets of procedures and controls for directing organizational work
Governance programs may involve various stakeholders, including boards and regulators.
What is the difference between centralized and decentralized governance models?
Centralized uses a top-down approach; decentralized delegates authority to subordinate units
This affects how security objectives are met within the organization.
What components make up policy frameworks?
Policies, standards, procedures, and guidelines
Each element serves a different purpose within the information security program.
What are policies in the context of information security?
High-level statements of management intent
Policies guide the overall direction of the security program.
What is the role of standards in a policy framework?
Describe detailed implementation requirements for policy
Standards ensure compliance with the established policies.
What do procedures provide in a security program?
Step-by-step instructions for security activities
Procedures are critical for consistent implementation of security measures.
What are guidelines in a policy framework?
Optional advice that complements policies, standards, and procedures
Guidelines provide flexibility in implementation.
Name common security policies that organizations may adopt.
- Information security policy
- Acceptable use policy
- Data ownership policy
- Data retention policy
- Account management policy
- Password policy
The specific policies depend on the organization’s culture and needs.
What should policy documents include regarding exceptions?
Exception processes outlining required information and approval authority
This ensures proper management of policy deviations.
What is the primary goal of change management?
Ensure that changes do not cause outages
Change management processes are vital for system availability.
What must be evaluated during change review processes?
The potential impact of any change
This helps mitigate risks associated with changes.
What compliance requirements do organizations face?
- Payment Card Industry Data Security Standard (PCI DSS)
- EU General Data Protection Regulation (GDPR)
- National, territory, and state laws
Compliance is crucial for legal and operational integrity.
What do standards frameworks provide?
An outline for structuring and evaluating cybersecurity programs
Frameworks help organizations assess their cybersecurity posture.
Name two examples of security frameworks.
- NIST Cybersecurity Framework (CSF)
- International Organization for Standardization (ISO) standards
These frameworks guide security program development and evaluation.
What is the NIST Risk Management Framework (RMF) used for?
Guiding U.S. federal government agencies and contractors
RMF helps in managing risks in federal environments.
What is the purpose of security training and awareness?
Ensure individuals understand their responsibilities
Training and awareness are essential for maintaining security in organizations.
What do security training programs aim to do?
Impart new knowledge on employees and stakeholders
Tailoring training to roles enhances its effectiveness.
What is the focus of security awareness programs?
Remind users of their security responsibilities
These programs keep security top-of-mind for employees.
