B- Business Alignment Flashcards
Information security program and the rest of the organization
An organization’s information security program NEEDS TO FIT INTO the rest of the organization
goals and objectives
Specify the activities that are to take place in support of the organization’s overall strategy.
risk appetite
The level of risk that an organization is willing to accept while in pursuit of its mission, strategy, and objectives, and before action is needed to treat the risk.
risk capacity
The objective amount of loss that an organization can tolerate without its continued existence being called into question.
Does an organization have a single risk tolerance across the entire business?
No, because different business functions and different aspects of security will have varying levels of risks.
Role
A description of expected activities that employees are obliged to perform as part of their employment.
What are roles typically associated with
Job title or position title
Position title which includes rank
It denotes an individual person’s seniority, placement within a command-and-control hierarchy, span of control, or any combination of these.
Responsibility
A statement of activities that a person is expected to perform.
Where are roles and responsibilities documented
In Position descriptions and job descriptions
RACI Chart
It assigns levels of responsibilities to individual and groups
Responsible-Accountable -Consulted- Informed
Responsible in RACI
The person or group that performs the actual work or task.
Accountable in RACI
The person who is ultimately answerable for complete, accurate, and timely execution of the work. Often this is a person who manages those in the Responsible role.
Consulted in RACI
One or more people or groups who are consulted for their opinions, experience, or insight. People in the Consulted role may be a subject-matter expert.
Communication with the Consulted role is two-way.
Informed in RACI
One or more people or groups who are informed by those in other roles. Depending on the process or task, Informed may be told of an activity before, during, or after its completion.
Communication with Informed is one-way.
