Chapter 4: Governance and Risk Management Flashcards
Security Programme
An ongoing management activity for the preservation and advancement of the organization
Most crucial element in a programme
Policies
Charter
Top of the policies and standards library; usually built by management; another word for a programme level policy
Policy informational elements (best practice)
Title,
Purpose
Authorizing individual,
Author,
Other policy references,
Scope,
Measurement expectations,
Exception process,
Accountability,
Compliance management (and measurements description)
Effective/expiration dates,
Definitions
Programme level policy
Management sponsored “mission statement”
Programme framework policy
Describes the elements and organization of the program and department(s) that will carry out the programme level policy
Issue specific policy
Addresses specific issues or sets of issues of concern to the organization. Can be regulatory or compliance oriented
System specific policy
Focuses on a specific system, such as an access system, a particular piece of equipment, or legacy items
PLP Purpose
Defines goals of the program and structure. My designate high level departments or offices
PLP Scope
Specifies which resources, information, and personnel are covered
PLP Responsibilities
Addresses which officials, offices, owners, and users are responsible for which tasks and own which information and to what degree
PLP Compliance
Authorizes creation of guidelines for penalties or disciplinary actions for those who do not fulfill their responsibilities
Must account for both willful and unwillful noncompliance
PFP - Descriptive Points
More stable long term than an issue specific policy
Can address multiple semi related issues in one shot
Examples include business continuity planning, application development security frameworks, physical security requirements for data centers, etc
ISP- Issue Statement
Defines the issue and includes any relevant terms, distinctions, or conditions
ISP - Position
States an organization’s position clearly on the issue
ISP - Applicability
States when, where, how, to whom and to what a particular policy applies
ISP - Roles and Responsibilities
Assigns roles and responsibilities within the issue
ISP - Compliance
Describes penalties and disciplinary actions in cases of violation. May require coordination with collective bargaining bodies.
ISP - Points of Contact and Supplemental Info
Lists who to talk to if more information is required or if an issue requires an interaction (a manager, administrator, etc)
Security Objectives
Series of statements to describe meaningful actions about specific resources; connected to
Operational Security
Nuts and bolts of who can access which things and when
Formal policies
Security role assignments, access lists, anything controversial
Policy implementation
Requires both hardware and software as well as the human element… how do you actually achieve the granular level of the thing you want?
Regulations
Laws passed by regulators or lawmakers (GLBA,HIPAA, etc)
