Chapter 2 review Flashcards by C MC

Chapter 2 Review

A strategy is a plan to achieve a defined set of these

OBJECTIVES

How well did you know this?

Not at all

Perfectly

Chapter 2 Review

Objectives are the desired what in an organization, and within the organization’s information security program

FUTURE STATE

How well did you know this?

Not at all

Perfectly

Chapter 2 Review

A strategy should be business aligned to be able to deliver on these 3 things.
1. ____ ; Demonstrate good investment
2. ____ ; Demonstrate cost-benefit by getting the most out of available components
3. ____ ; Demonstrate the above through reporting

VALUE
OPTIMIZE RESOURCES
BE MEASURABLE

How well did you know this?

Not at all

Perfectly

Chapter 2 Review

To be successful, an information security program must be aligned with the business and its overall (i) ____ ,(ii) ____ and ____ ,(iii) ____

MISSION
GOALS AND OBJECTIVES
STRATEGY

How well did you know this?

Not at all

Perfectly

Chapter 2 Review

A successful and aligned security program does not lead the organization, but will instead do this for it.

ENABLE AND SUPPORT

How well did you know this?

Not at all

Perfectly

Chapter 2 Review

Risk assessments, vulnerability assessments, threat assessments, business impact analysis, metrics, a risk register, and incident logs are a number of resources used reveal the organisations current state which helps in the development of this that helps achieve objectives.

DEVELOPMENT OF A STRATEGY

How well did you know this?

Not at all

Perfectly

Chapter 2 Review

policy
standards
guidelines
processes and procedures
architecture
controls
staff skills
insurance
outsourced services.

Inputs from the above are required to better define the structure of this program

SECURITY PROGRAM

How well did you know this?

Not at all

Perfectly

Chapter 2 Review

It is critical that the security leader understands this about the security team, IT department, and entire organisation

CULTURE

How well did you know this?

Not at all

Perfectly

Chapter 2 Review

A security strategist must first understand this in order to develop a strategy and then be able to define a desired future state

CURRENT STATE

How well did you know this?

Not at all

Perfectly

Chapter 2 Review

This technique helps the strategist understand missing capabilities.

GAP ANALYSIS

How well did you know this?

Not at all

Perfectly

Chapter 2 Review

This planning tool defines the steps to develop missing capabilities and augment existing capabilities

ROADMAP

How well did you know this?

Not at all

Perfectly

Chapter 2 Review

Strategic planning can be supported by a SWOT analysis;

S____
W____
O____
T____

STRENGTHS
WEAKNESS
OPPORTUNITIES
THREATS

How well did you know this?

Not at all

Perfectly

Chapter 2 Review

The strategist may employ one or more of these to help determine appropriate future states of key security processes. An example includes CMMI-DEV

CAPABILITY MATURITY MODEL

How well did you know this?

Not at all

Perfectly

Chapter 2 Review

Strategy development beings with the development of these 2 componets of a security program, 1 defines the way security governance is applied and the other techniques and methods used to reduce identified risks.

SECURITY POLICIES and CONTROLS

How well did you know this?

Not at all

Perfectly

Chapter 2 Review

A security leader may choose to align the structure of security policy and controls to one of several standards;

____ 2019
NIST SP 800- ____
NIST SP 800- ____
ISO/IEC ____
H ____ / H ____
P ____ D ____
C ____ C ____

COBIT 2019
NIST SP 800-53
NIST SP 800-171
ISO/IEC 27002
HIPAA / HITECH
PCI DSS
CIC CSC

How well did you know this?

Not at all

Perfectly

Chapter 2 Review

These 3 things should form part of strategy development after a security leader has developed and updated policy and controls, and chosen an industry standard to align to;

____ ; Baselines
____ ; Ownership
____ ; Educating the business

STANDARDS
ROLES AND RESPONSIBILITIES
PERSONNEL TRAINED

Chapter 2 Review

Commitment from these 2 parties is essential if the security strategy to succeed.

EXECUTIVE and BUSINESS OWNERS

Chapter 2 Review

The following are examples of what that a security strategist must be aware of when trying to achieve strategic objectives;

culture
organizational structure
existing staff capabilities
budgets
time
legal and regulatory obligations.

OBSTACLES

Chapter 2 Review

Security leaders should be aware of this phenomenon, which is the belief security incidents will never happen.

NORMALCY BIAS

Chapter 2 Review

Strategy development may include understanding and establishing this desired objective

RISK LEVELS

Chapter 2 Review

This model was developed by ISACA and is a guide for business-aligned, risk-based security governance.

BUSINESS MODEL FOR INFORMATION SECURITY
(BMIS)

BMIS Model

Chapter 2 Review

The Business Model for Information Security (BMIS) consists of these four elements:

O____
P____
T____
P____

BMIS Model

ORGANISATION
PEOPLE
TECHNOLOGY
PROCESS

Chapter 2 Review

The Business Model for Information Security (BMIS) model consists of six dynamic interconnections (DIs)

G____
E____
E____ & S ____
C____
A____
H____

BMIS Model

Process < Governing > Organisation
Process < Emergence > People
Process < Enabling & Support > Technology
People < Culture > Organisation
Organisation < Architecture > Technology
Technology < Human Factors > People

Chapter 2 Review

This structure represents the implementation of the overall security strategy as well as the details that define the role of technology and asset protection

SECURITY ARCHITECTURE

Zachman Framework

TOGAF

# Chapter 2 Review **ISO/IEC 27001** is a renowned standard for the development and management of an this **management system**

INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS)

# Chapter 2 Review The **NIST Cybersecurity Framework (CSF)** maps **high-level outcomes** to **several control frameworks**. It is a taxonomy for **assessing** these **2 things** of an organisations current state.

SECURITY CAPABILITIES and MATURITY

# Chapter 2 Review The **NIST risk management framework (RMF)**, described in NIST SP 800-37, provides a model for the **risk management lifecycle**, which is considered essential for organizations to do this effectively in regards to cyber risks.

IDENTIFY and MANAGE CYBER RISKS

# Chapter 2 Review With **Strategic planning**, one or more persons develop the steps and resources required to achieve a what.

DESIRED END STATE (which is an objective)

# Chapter 2 Review **Strategic planning** should include the **steps and resources required** for principal functions of the information **security program** to protect these things within the organization adequately

INFORMATION ASSETS

# Chapter 2 Review A **roadmap** is the list of steps required to achieve these

STRATEGIC OBJECTIVES

# Chapter 2 Review Building an effective one of these will **help executive management agree** to **support and fund** a strategy or security initiative

BUSINESS CASE

# Chapter 2 Review 1. problem statement 2. description of the current state 3. desired future state 4. requirements 5. approach 6. plan to achieve the strategy Each of the above items are examples of things to be addressed in one of these

BUSINESS CASE

# Chapter 2 Review This party will review **Business cases**, and consists of **business stakeholders**

IT STEERING COMMITTEE

# Chapter 2 Review **Control objectives** are **developed to achieve** this in regards to risk

ACCEPTABLE LEVEL OF RISK

# Chapter 2 Review The **extent** to which **levels of acceptable risk are achieved** through control objectives is a **good measure** of the **effectiveness** of this

EFFECTIVENESS OF SECURITY STRATEGY

# Chapter 2 Review This **policy** will state the **required failure modes** i.e. fail open or fail closed. This has implications on safety, confidentiality, and availability

CONTROL POLICY

# Chapter 2 Review During a **security program development**, this is the primary reason why policies will be changed

NO LONGER REFLECT MANAGEMENT INTENT AND DIRECTION