Chapter 3

Question 1

What are the keywords for chapter 3?

Answer 1

authorities, external organizations, organizational structure, reporting structure, roles and responsibilities

Question 2

What are the key factors in determining the security organizational structure of a company?

Answer 2

mission, risk appetite, culture, size, budget

Question 3

It an org’s mission the most important factor to determine it’s security structure?

Answer 3

yes

Question 4

What are the risk-appetite factors of a risk-averse org?

Answer 4

more technical controls, higher tech cost, large security organization, emphasis on asset governance and management

Question 5

smaller number of assets to protect, outsourcing of asset hosting, smaller staff, more emphasis on asset governance is characteristic of what risk level?

Answer 5

risk willing

Question 6

What are the two types of cultures that determine an org’s security structure?

Answer 6

authoritative culture and open-minded/free culture

Question 7

Characteristics of an authoritative culture are

Answer 7

large org with a variety of security tools, high data protection measures, high protection against malware and attacks, heavy emphasis on following compliance and regulations

Question 8

Characteristics of an open-minded/free culture are

Answer 8

work from home/byod policies, no unified OS or app use, heavy collaboration between disparate teams, Open source intellectual properties, free intellectual property, emphasis on availability and integrity of assets more than protection of them, smaller staff, importsant assets are assets with code

Question 9

What are the org sizes that determine a security team’s structure?

Answer 9

small organization and large organization

Question 10

Characteristics of a small organization are

Answer 10

limited budgets, lack of specialized teams and roles, jack of all trade team members, great dependence on vendor support for difficult problems and large projects

Question 11

Characteristics of large organizations are

Answer 11

teams and roles segmented by product and specialty, larger budgets, less reliance on vendor support

Question 12

characteristics of small budgets are

Answer 12

usually associated with small orgs, cost to equip and train have to be low, may be staffed by volunteers and students

Question 13

what are the characteristics of a large budget?

Answer 13

multiple levels of staff and clear organizational hierarchy, heavy cost to support and train large teams , need to ensure rules and responsibilities are clear

Question 14

what are the organizational options for security teams to report to?

Answer 14

cep, cio, GRC (governance, risk, and compliance),cso, ciso , legal department, cfo, cto, coo

Question 15

What are the best organization positions that the security team should report to?

Answer 15

CSO and CISO

Question 16

Why are CSO and CISOs the best positions for the security team to report to?

Answer 16

Brings direct support to security teams and removes the need for the security team to compete for a seat at the decision table

Question 17

Why is reporting to the CEO and CIO the worst option for the security team?

Answer 17

Having opposing IT and security team viewpoints reporting to the same CIO could lead to conflict between the teams.

Question 18

Should the security team hamper business? Why or why not?

Answer 18

Security teams should not hamper business. If the security team looks obstructionist it could lead to the business not taking the security team’s advice. Don’t say no, say Let me see how I can help you securely achieve that goal”.

Question 19

How can reporting to the GRC (government , risks, and compliance) impede the security team?

Answer 19

GRC tends to favor regulatory and risk perfection which could slow the completion of security projects and task achievement

Question 20

How can reporting to the GRC (government, risks, and compliance) help the security team?

Answer 20

helps align security team’s task with business objectives and give the team quick access to risk identification

Question 21

What organizational support is needed for a security team to be effective?

Answer 21

executive management support, funding, skilled team members, clear security goals and roadmap

Question 22

How many direct reports can a manager manage before they become ineffective?

Answer 22

5

Question 23

What is the span of control?

Answer 23

The number of people that can be managed by one person before management becomes ineffective

Question 24

How do you calculate the headcount for an organization’s management

Answer 24

total count of workers in the organization / 5

Question 25

Who does the CISO normally report to?

Answer 25

CSO (chief security officer)

Question 26

What is an information security committee?

Answer 26

key stakeholders and management with direct responsibility for security

Question 27

What does an information security committee do?

Answer 27

review metrics to analyze security day to day operations, provide guidance and oversight for the security team, resolve complex issues and problems

Question 28

What do risk teams use to monitor risk and progress of risk resolution?

Answer 28

risk registers

Question 29

What does the privacy team do?

Answer 29

Ensures an org aligns with regulatory and legal private requirements

Question 30

Who determines what data is beholden to regulations?

Answer 30

privacy team

Question 31

What is a common privacy regulation?

Answer 31

Health Insurance Portability and Accountability Act (HIPPA)

Question 32

Who provides breach notification laws in each state?

Answer 32

National Conference of State Legislatures

Question 33

What is a data steward?

Answer 33

Individuals responsible for managing and maintaining org data and meta data;p including policies for data use and high level org alignment with data policies

Question 34

What is a data custodian

Answer 34

Individuals with control over data access granting, who work with data owners , who provide guidance for new tech/procedures, insures data policies are followed

Question 35

What are data owners?

Answer 35

individuals responsible for the creation, use, and deletion of data , can give and deny access to data they are directly responsible for , help develop data governance and processes, tells how data must be used

Question 36

What is a data user?

Answer 36

customers or orgs, ensure stored and used data is securely handled and maintained, weakest link in security chain, complex to develop security policy and governance for

Question 37

what is the importance of maintaining relationships with companies in the same industry?

Answer 37

• can provide data relevant to you since it is a similar org
• standing on shoulders of giants effect
• can gauge probable effect of new tech and cyber issues for your org

Question 38

What are the downsides of maintaining relationships with companies in the same industry?

Answer 38

vulnerabilities more likely to be revealed to the public

Question 39

What is the name for industry sharing bodies?

Answer 39

Information Sharing and Analysis Centers (ISACs)

Question 40

What are the downsides of auditors?

Answer 40

• if auditor is not skilled, they will overlook needed remediations
• they could judge security norms against a different set of standards than they were modeled after

Question 41

What is a key local version of scamming that local enforcement can assist with?

Answer 41

scimmers

Question 42

Which federal agencies handle cyber crime

Answer 42

FBI and Secret Service

Question 43

What is the FBI’s flash alert?

Answer 43

a service that notifies the public about new and current cyber attack mechanisms

Question 44

What are international investigations conducted through?

Answer 44

local country of targeted entity

Question 45

An organizational statement of intent is :

Answer 45

a policy

Question 46

what legal acts regulate security

Answer 46

• Sarbanes Oxley (SOX)
• Gramm-Leach Biley ACT
• Payment-Card industry (PCI)
• Health and Insurance Accountability and Portability Act (HIPPA)

Question 47

What are the types of information security policies?

Answer 47

organizational policy, standards,

Question 48

What are organizational policies?

Answer 48

• highest policy level in a company
• the parent policy for all child policy in an org
• mandatory and reflected in managerial requirements
• product and solution agnostic

Question 49

What do standards provide?

Answer 49

information control needed to meet regulatory requirements

Question 50

Who developed Control Objectives for Information and Technology (COBIT)

Answer 50

The Information Systems Audit and Control Association (ISACA)