Chapter 3 - Governance and Security Planning

Question 1

Mission: explicitly declares the business of the organisation. it is the Identity. how the organisation goes there.

Vision: where the organisation wants to go. visions are not meant to express the probable, only the possible.

Value Statement: formal set of principles and values for measuring behaviour

Answer 1

..

Question 2

Planning Hierarchy

Answer 2

Corporate Strategy
_______________|_______________________
| | | |
Financial Str. IT Str. Operations Str. |
| | | |
|_______Infosec Strategy______ |_________ |
|
Infosec Tactical Planning
|
Infosec Operational Planning

Question 3

Budgeting, resource allocation and personnel are critical components of tactical plan.

Answer 3

managers and employees are using operational plans, which are derived from tactical plans to organise the ongoing, day to day performance of tasks.

Question 4

First priority of CISO should be structure of strategic plan.

Basic components of a typical organisation level strategic plan includes:

Answer 4

1. executive summary
2. mission, vision, and values statements
3. organisational profile and history
4. strategic issues and challenges
5. organisational goals and objectives
6. major business unit goals and objectives
7. appendicies.

Question 5

IDEAL

Initiating:

Diagnosing: determine where you are relative to where you want to be

Establishing: plan how you will reach there

Acting: do the work according to the plan

Learning: learn from experience and improve

Answer 5

.

Question 6

Information Security Governance Responsibilities

CEO
See overall posture
brief board, customer, public

CISO CSO CRO, Department Head..
set security policy, program, training for company
respond to security bridges
be responsible for annual independent audit
implement, audit, asses compliance

Mid Level Manager
implement/audit/asses compliance
communicate policies, program(training)

Employees
communicate policies, program(training)
implement policy, report security vulnerabilities and breaches

Answer 6

.

Question 7

CERT GES Hierarchy

Risk Management Plans
Enterprise Security Strategy
Enterprise Security Plan
BU Plans, policies, procedures, architectures

Answer 7

.

Question 8

ISO/IEC 27014:2013
Governance of Information Security

Evaluate, the current dtatus
Direct, 
Monitor
Communicate
Assure

Answer 8

.

Question 9

Security Convergence

merging of management accountability in the areas of physical secu, corporate risk management, computer security, network security, and InfoSec..,

Answer 9

.

Question 10

Top Down approach for security implementation

must have a champion.

Answer 10

.

Question 11

SDLC: system development life cycle

SecSDLC: security system development life cycle

after implementation, security program should be supported by continuous improvement(CIP).

IDEAL is one of the popular CIP model.

Answer 11

..

Question 12

SDLC waterfall methodology(Implementation)

Investigation: begins with policy. manager and employees investigate problems, define scope, identify goals…
Analysis: Risk management starts here
Logical - Physical design:security policy, SETA, controls, Contingency Planning
Implementation:…
Maintenance and Change:

Answer 12

Implementation:
Champion: senior level sponsor

Team leader: understands project mgmt, personnel mgmt and technical requirements

Security policy developers; understand company culture, policies and requirements

Security professionals
System administrators
End users

Question 13

Control Types:

Managerial Controls: security program management, address risk management and security controls.

Operational controls: addressing disaster recovery, personnel security, physical security

technical controls: logical access controls

Answer 13

infosec and staffing:

1. where to position security
2. Infosec community; plan for proper staffing
3. IT community; understand how infosec affects IT and adjust job description and documented practices
4. General community works with infosec to integrate infosec concepts into personnel management processes.

Question 14

CISO: responsible for assessment management and implementation of security

Security Managers: day to day operations of infosec program, accomplishing objectives set by CISO, resolving issues identified by technicians

Security technicians: diagnosing and troubleshooting problems, configuring eg. firewalls, ensuring secure implementation

data owners: control and are therefore responsible for the information

data trustees: ultimately responsible C level executives

Answer 14

..