C-Board of Directors and Strategy Flashcards
Board of Directors
The board of directors in an organization is a body of people who oversee activities in an organization.
Technology Risk committee
Committee of Technically (IT) savvy board member in some organization
Executive Management
Executive management is responsible for carrying out directives issued by the board of directors.
Executive management in the context of security management
includes ensuring that there are sufficient resources for the organization to implement a security program and to develop and maintain security controls to protect critical assets.
Chief Information Security Officer (CISO)
Responsible for all aspects of data-related security. This usually includes incident management, disaster recovery, vulnerability management, and compliance. This role is usually separate from IT.
To ensure the success of the organization’s information security program, executive management should be involved in what three key areas:
- Ratify corporate security policy: Security policies that are developed by the information security function should be visibly ratified or endorsed by executive management.
- Leadership by example With regard to information security policy, executive management should lead by example and not exhibit behavior suggesting they are “above” security policy—or other policies.
- Ultimate responsibility: Executives are ultimately responsible for all actions carried out by the personnel who report to them or those outsources.
Steering committee responsibilities
Consist of stakeholders from many department with responsibilities such as :
• Risk treatment deliberation and recommendation
• Discussion and coordination of IT and security projects
• Discussion of new laws, regulations, and requirements
• Review of recent security incidents
The responsibilities of business process and business asset owners include
- Access grants
- Access revocation
- Access reviews
- Configuration
- Function definition
- Process definition
- Physical location
Assets custodians
Act as a proxy for asset owners and make access grants and other decisions on their behalf.
Business process and business asset owners
They might not be technology experts, but they are accountable for making business decisions that sometimes impact the use of information technology, the organization’s security posture, or both.
What defined authorities and activities performed by Board of Directors
Constitution, bylaws, or external regulations.
To whom is the board of Directors accountable to
Owners of the organizations, or in case of government body to the electorate.
What duties do the board of director members have
Fiduciary
US. Sarbanes-Oxley Act
Requires board members to form an audit committee;
What experience is required of the audit committee by the US. Sarbanes-Oxley Act
one or more audit committee members are required to have financial management experience
Who may review recent risk assessments and why
The security steering committee may in order to develop a common understanding of their results, as well as remediation of findings.
Main mission of a security steering committee
To identify and resolve conflicts and to maximize the effectiveness of the security program, as balanced among other business initiatives and priorities.
What does IT and information security form?
The organization.
Asset grant
Assets owners decide who should gain access to the asset, as well as the level of access ( read or write, create or delete).
Access review
Asset owners should conduct a periodic review access list to validate the asset grant .
Function definition
Assets owner determine which functions will be available, how they will work and how they will support processes.
