CGRC Week 2 Flashcards
What is Corporate Governance?
A rulebook or a set of guidelines/polices that helps the company manage/conduct itself.
What is IS Governance?
Information Security governance ensures security strategies align with business objectives, comply with laws, and mitigate risks and achieves the CIA triad through leadership, structures and compliance enforcement.
Benefits of IS Governance?
1) Increase in Shared Value
2) Reduced Uncertainty
3) Protection from liability (lawsuits & penalities)
4) Optimise Allocation with structure and frameworks to limited security resources
What are the SIX basic outcomes of IS Governance?
1) Strategic Alignment: Align with business strategies
2) Risk management: Reduces risks to acceptable levels by taking measures and mitigating IS risks
3) Value delivery: Optimizes IS investments to support business objectives
4) Performance measurement: Monitors security objectives whether if they are achieved.
5) Resource management: Efficiently utilizes security knowledge and tools. Basically, having a rulebook, policies for the organization to follow.
6) Integration: Making sure that all necessary security processes and controls work together seamlessly to protect information for the organization.
What is a Framework?
It helps enterprises to respond rapidly with effective deployment of security governance infrastructure. Building a foundational security program that is cost-effective, aligning with business goals/objectives and reduce the impact of adverse events
What does a Framework consist of?
1) Security Strategies aligned with business goals
2) Security Policies to address the strategies, controls and regulations
3) Standards ensures procedures and guidelines comply with policies.
4) Organizational Structures provides sufficient authority & resources
5) Metrics & Monitoring processes to ensure compliance, provide feedbacks
Who makes decisions? Manage Teams and Strategies?
Senior Management (Board of Directors)
What are the roles in IS Governance?
1) Board of Directors
2) Executive Management
3) Security Steering Committee
4) The Chief of Information Security Officer (CISO)
What are the responsibilites each role has?
1) Board of Directors
- Tone of risk appetite
- Risk Management
2) Executive Management
- Integrates security with business objectives
3) Security Steering Committee
Represented by senior representatives of the main operational and administrative functions to:
- Provide feedbacks and input on security strategies
- Review and advise if security initiatives meet business objectives
- Identify Risks and issues
4) The Chief of Information Security Officer (CISO)
- Conduct Risk Assessment
- Develop security policies
As a IS manager, you have created a security plan. What should be the next step?
Gaining the approval from senior management to have a required level of support which includes adequate resources and the sufficient authority, supporting security awareness training and addressing security issues with board and senior management meetings
What is a business case?
A business case is when an organization provides information required to decide whether the project should proceed.
What are the considerations that can be called a “business case”
1) Value proposition (Is it worth the value? Is it cost-benefitting?)
2) Justification (Why is it so important then?)
3) Presentation (Brief overview of the project)
What does COSO stand for? What does it provide?
A Committee of sponsoring organizations of the Treadway Committee
A process of internal controls effected by board of directors and management to provide assurance to the achievement of objectives
How is COSO categorized?
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with laws and regulations
What are the five “effective” internal control system components of COSO to support the achievement of business objectives?
1) Risk Assessment
2) Control Environment
3) Control Activities
4) Information & Communication
5) Monitoring
What does COBIT stand for? What does it provide?
Control Objectives for Information and related technologies
It is a framework that aligns IT strategies with organizational goals, risk management and regulatory compliance
What are the 5 principles of COBIT 5
1) Meeting Stakehold needs
2) Covering enterprise end to end
3) Applying a single integrated framework
4) Enabling a holistic approach
5) Separating governance from management
What does ITIL stand for? What does it provide?
Information Technology Infrastructure Library
Provides best practices for ITSM (IT Service Management) and helps IT services to align to business needs.
What does ISO27000 Series provide?
What does ISO27001 do?
What does ISO27002 do?
1) It provides best practice recommendations on ISMS to keep organizations safe from information security risks
2) it specifies a checklist of what organizations need to do in order to set up their ISMS
3) Provides best practice recommendations for people who are responsible for maintaining or implementing ISMS
