Chapter 2 review Flashcards

1
Q

Chapter 2 Review

A strategy is a plan to achieve a defined set of these

A

OBJECTIVES

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Chapter 2 Review

Objectives are the desired what in an organization, and within the organization’s information security program

A

FUTURE STATE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Chapter 2 Review

A strategy should be business aligned to be able to deliver on these 3 things.
1. ____ ; Demonstrate good investment
2. ____ ; Demonstrate cost-benefit by getting the most out of available components
3. ____ ; Demonstrate the above through reporting

A
  1. VALUE
  2. OPTIMIZE RESOURCES
  3. BE MEASURABLE
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Chapter 2 Review

To be successful, an information security program must be aligned with the business and its overall (i) ____ ,(ii) ____ and ____ ,(iii) ____

A
  1. MISSION
  2. GOALS AND OBJECTIVES
  3. STRATEGY
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Chapter 2 Review

A successful and aligned security program does not lead the organization, but will instead do this for it.

A

ENABLE AND SUPPORT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Chapter 2 Review

Risk assessments, vulnerability assessments, threat assessments, business impact analysis, metrics, a risk register, and incident logs are a number of resources used reveal the organisations current state which helps in the development of this that helps achieve objectives.

A

DEVELOPMENT OF A STRATEGY

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Chapter 2 Review

  1. policy
  2. standards
  3. guidelines
  4. processes and procedures
  5. architecture
  6. controls
  7. staff skills
  8. insurance
  9. outsourced services.

Inputs from the above are required to better define the structure of this program

A

SECURITY PROGRAM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Chapter 2 Review

It is critical that the security leader understands this about the security team, IT department, and entire organisation

A

CULTURE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Chapter 2 Review

A security strategist must first understand this in order to develop a strategy and then be able to define a desired future state

A

CURRENT STATE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Chapter 2 Review

This technique helps the strategist understand missing capabilities.

A

GAP ANALYSIS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Chapter 2 Review

This planning tool defines the steps to develop missing capabilities and augment existing capabilities

A

ROADMAP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Chapter 2 Review

Strategic planning can be supported by a SWOT analysis;

  1. S____
  2. W____
  3. O____
  4. T____
A
  1. STRENGTHS
  2. WEAKNESS
  3. OPPORTUNITIES
  4. THREATS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Chapter 2 Review

The strategist may employ one or more of these to help determine appropriate future states of key security processes. An example includes CMMI-DEV

A

CAPABILITY MATURITY MODEL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Chapter 2 Review

Strategy development beings with the development of these 2 componets of a security program, 1 defines the way security governance is applied and the other techniques and methods used to reduce identified risks.

A

SECURITY POLICIES and CONTROLS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Chapter 2 Review

A security leader may choose to align the structure of security policy and controls to one of several standards;

  1. ____ 2019
  2. NIST SP 800- ____
  3. NIST SP 800- ____
  4. ISO/IEC ____
  5. H ____ / H ____
  6. P ____ D ____
  7. C ____ C ____
A
  1. COBIT 2019
  2. NIST SP 800-53
  3. NIST SP 800-171
  4. ISO/IEC 27002
  5. HIPAA / HITECH
  6. PCI DSS
  7. CIC CSC
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Chapter 2 Review

These 3 things should form part of strategy development after a security leader has developed and updated policy and controls, and chosen an industry standard to align to;

  1. ____ ; Baselines
  2. ____ ; Ownership
  3. ____ ; Educating the business
A
  1. STANDARDS
  2. ROLES AND RESPONSIBILITIES
  3. PERSONNEL TRAINED
17
Q

Chapter 2 Review

Commitment from these 2 parties is essential if the security strategy to succeed.

A

EXECUTIVE and BUSINESS OWNERS

18
Q

Chapter 2 Review

The following are examples of what that a security strategist must be aware of when trying to achieve strategic objectives;

  1. culture
  2. organizational structure
  3. existing staff capabilities
  4. budgets
  5. time
  6. legal and regulatory obligations.
A

OBSTACLES

19
Q

Chapter 2 Review

Security leaders should be aware of this phenomenon, which is the belief security incidents will never happen.

A

NORMALCY BIAS

20
Q

Chapter 2 Review

Strategy development may include understanding and establishing this desired objective

A

RISK LEVELS

21
Q

Chapter 2 Review

This model was developed by ISACA and is a guide for business-aligned, risk-based security governance.

A

BUSINESS MODEL FOR INFORMATION SECURITY
(BMIS)

22
Q

Chapter 2 Review

The Business Model for Information Security (BMIS) consists of these four elements:

  1. O____
  2. P____
  3. T____
  4. P____
A
  1. ORGANISATION
  2. PEOPLE
  3. TECHNOLOGY
  4. PROCESS
23
Q

Chapter 2 Review

The Business Model for Information Security (BMIS) model consists of six dynamic interconnections (DIs)

  1. G____
  2. E____
  3. E____ & S ____
  4. C____
  5. A____
  6. H____
A
  1. Process < Governing > Organisation
  2. Process < Emergence > People
  3. Process < Enabling & Support > Technology
  4. People < Culture > Organisation
  5. Organisation < Architecture > Technology
  6. Technology < Human Factors > People
24
Q

Chapter 2 Review

This structure represents the implementation of the overall security strategy as well as the details that define the role of technology and asset protection

A

SECURITY ARCHITECTURE

25
Q

Chapter 2 Review

ISO/IEC 27001 is a renowned standard for the development and management of an this management system

A

INFORMATION SECURITY MANAGEMENT SYSTEM
(ISMS)

26
Q

Chapter 2 Review

The NIST Cybersecurity Framework (CSF) maps high-level outcomes to several control frameworks. It is a taxonomy for assessing these 2 things of an organisations current state.

A

SECURITY CAPABILITIES and MATURITY

27
Q

Chapter 2 Review

The NIST risk management framework (RMF), described in NIST SP 800-37, provides a model for the risk management lifecycle, which is considered essential for organizations to do this effectively in regards to cyber risks.

A

IDENTIFY and MANAGE CYBER RISKS

28
Q

Chapter 2 Review

With Strategic planning, one or more persons develop the steps and resources required to achieve a what.

A

DESIRED END STATE
(which is an objective)

29
Q

Chapter 2 Review

Strategic planning should include the steps and resources required for principal functions of the information security program to protect these things within the organization adequately

A

INFORMATION ASSETS

30
Q

Chapter 2 Review

A roadmap is the list of steps required to achieve these

A

STRATEGIC OBJECTIVES

31
Q

Chapter 2 Review

Building an effective one of these will help executive management agree to support and fund a strategy or security initiative

A

BUSINESS CASE

32
Q

Chapter 2 Review

  1. problem statement
  2. description of the current state
  3. desired future state
  4. requirements
  5. approach
  6. plan to achieve the strategy

Each of the above items are examples of things to be addressed in one of these

A

BUSINESS CASE

33
Q

Chapter 2 Review

This party will review Business cases, and consists of business stakeholders

A

IT STEERING COMMITTEE

34
Q

Chapter 2 Review

Control objectives are developed to achieve this in regards to risk

A

ACCEPTABLE LEVEL OF RISK

35
Q

Chapter 2 Review

The extent to which levels of acceptable risk are achieved through control objectives is a good measure of the effectiveness of this

A

EFFECTIVENESS OF SECURITY STRATEGY

36
Q

Chapter 2 Review

This policy will state the required failure modes i.e. fail open or fail closed. This has implications on safety, confidentiality, and availability

A

CONTROL POLICY

37
Q

Chapter 2 Review

During a security program development, this is the primary reason why policies will be changed

A

NO LONGER REFLECT MANAGEMENT INTENT AND DIRECTION