Chapter 3 Flashcards
What are the keywords for chapter 3?
authorities, external organizations, organizational structure, reporting structure, roles and responsibilities
What are the key factors in determining the security organizational structure of a company?
mission, risk appetite, culture, size, budget
It an org’s mission the most important factor to determine it’s security structure?
yes
What are the risk-appetite factors of a risk-averse org?
more technical controls, higher tech cost, large security organization, emphasis on asset governance and management
smaller number of assets to protect, outsourcing of asset hosting, smaller staff, more emphasis on asset governance is characteristic of what risk level?
risk willing
What are the two types of cultures that determine an org’s security structure?
authoritative culture and open-minded/free culture
Characteristics of an authoritative culture are
large org with a variety of security tools, high data protection measures, high protection against malware and attacks, heavy emphasis on following compliance and regulations
Characteristics of an open-minded/free culture are
work from home/byod policies, no unified OS or app use, heavy collaboration between disparate teams, Open source intellectual properties, free intellectual property, emphasis on availability and integrity of assets more than protection of them, smaller staff, importsant assets are assets with code
What are the org sizes that determine a security team’s structure?
small organization and large organization
Characteristics of a small organization are
limited budgets, lack of specialized teams and roles, jack of all trade team members, great dependence on vendor support for difficult problems and large projects
Characteristics of large organizations are
teams and roles segmented by product and specialty, larger budgets, less reliance on vendor support
characteristics of small budgets are
usually associated with small orgs, cost to equip and train have to be low, may be staffed by volunteers and students
what are the characteristics of a large budget?
multiple levels of staff and clear organizational hierarchy, heavy cost to support and train large teams , need to ensure rules and responsibilities are clear
what are the organizational options for security teams to report to?
cep, cio, GRC (governance, risk, and compliance),cso, ciso , legal department, cfo, cto, coo
What are the best organization positions that the security team should report to?
CSO and CISO
Why are CSO and CISOs the best positions for the security team to report to?
Brings direct support to security teams and removes the need for the security team to compete for a seat at the decision table
Why is reporting to the CEO and CIO the worst option for the security team?
Having opposing IT and security team viewpoints reporting to the same CIO could lead to conflict between the teams.
Should the security team hamper business? Why or why not?
Security teams should not hamper business. If the security team looks obstructionist it could lead to the business not taking the security team’s advice. Don’t say no, say Let me see how I can help you securely achieve that goal”.
How can reporting to the GRC (government , risks, and compliance) impede the security team?
GRC tends to favor regulatory and risk perfection which could slow the completion of security projects and task achievement
How can reporting to the GRC (government, risks, and compliance) help the security team?
helps align security team’s task with business objectives and give the team quick access to risk identification
What organizational support is needed for a security team to be effective?
executive management support, funding, skilled team members, clear security goals and roadmap
How many direct reports can a manager manage before they become ineffective?
5
What is the span of control?
The number of people that can be managed by one person before management becomes ineffective
How do you calculate the headcount for an organization’s management
total count of workers in the organization / 5
Who does the CISO normally report to?
CSO (chief security officer)
What is an information security committee?
key stakeholders and management with direct responsibility for security
What does an information security committee do?
review metrics to analyze security day to day operations, provide guidance and oversight for the security team, resolve complex issues and problems
What do risk teams use to monitor risk and progress of risk resolution?
risk registers
What does the privacy team do?
Ensures an org aligns with regulatory and legal private requirements
Who determines what data is beholden to regulations?
privacy team
What is a common privacy regulation?
Health Insurance Portability and Accountability Act (HIPPA)
Who provides breach notification laws in each state?
National Conference of State Legislatures
What is a data steward?
Individuals responsible for managing and maintaining org data and meta data;p including policies for data use and high level org alignment with data policies
What is a data custodian
Individuals with control over data access granting, who work with data owners , who provide guidance for new tech/procedures, insures data policies are followed
What are data owners?
individuals responsible for the creation, use, and deletion of data , can give and deny access to data they are directly responsible for , help develop data governance and processes, tells how data must be used
What is a data user?
customers or orgs, ensure stored and used data is securely handled and maintained, weakest link in security chain, complex to develop security policy and governance for
what is the importance of maintaining relationships with companies in the same industry?
- can provide data relevant to you since it is a similar org
- standing on shoulders of giants effect
- can gauge probable effect of new tech and cyber issues for your org
What are the downsides of maintaining relationships with companies in the same industry?
vulnerabilities more likely to be revealed to the public
What is the name for industry sharing bodies?
Information Sharing and Analysis Centers (ISACs)
What are the downsides of auditors?
- if auditor is not skilled, they will overlook needed remediations
- they could judge security norms against a different set of standards than they were modeled after
What is a key local version of scamming that local enforcement can assist with?
scimmers
Which federal agencies handle cyber crime
FBI and Secret Service
What is the FBI’s flash alert?
a service that notifies the public about new and current cyber attack mechanisms
What are international investigations conducted through?
local country of targeted entity
An organizational statement of intent is :
a policy
what legal acts regulate security
- Sarbanes Oxley (SOX)
- Gramm-Leach Biley ACT
- Payment-Card industry (PCI)
- Health and Insurance Accountability and Portability Act (HIPPA)
What are the types of information security policies?
organizational policy, standards,
What are organizational policies?
- highest policy level in a company
- the parent policy for all child policy in an org
- mandatory and reflected in managerial requirements
- product and solution agnostic
What do standards provide?
information control needed to meet regulatory requirements
Who developed Control Objectives for Information and Technology (COBIT)
The Information Systems Audit and Control Association (ISACA)
