Domain 1: Information Security Governance (24%) Flashcards
Cybersecurity governance programs guide and direct ???.
Governance programs guide and direct organization wide cyber security efforts.
A Goveranance frameworks consist of?
Policies, Controls, standards, procedures, guidelines, and metrics
Organizations often adopt a set of security policies covering different areas of their security programs.
What are the different policies that are part of the security programs:
Organizations often adopt a set of security policies covering different areas of their security programs.
Common policies used in security programs include an
information security policy
acceptable use policy
data ownership policy
data retention policy
account management policy
password policy
Why should policy documents include exception processes?
Exception processes should outline the information required to receive an exception to security policy and the approval authority for each exception.
The process should also describe the requirements for compensating controls that mitigate risks associated with approved security policy exceptions.
What type of frameworks do security managers use?
- Like other types of models, organizations are expected to consider tailoring a standard framework to align with the organization and its business model, practices, and culture.
Governance frameworks involve activities to ensure that executives are in control of the organization and that they are adequately informed.
Control frameworks: involve IT, security, and privacy controls, the detailed statements describing desired outcomes that are examined for proper design and effectiveness.
Architecture Frameworks
Risk Management Frameworks
how does the vision of a business flow down in an organization from IT to Security strategy?
Organizational culture is the term that describes how people within an organization ???
Organizational culture is the term that describes how people within an organization
* treat one another
* how they get things done.
* Many organizations establish a set of values that defines the norms of professional behavior.
Terms such as respect, collaboration, and teamwork are often used in these values.
* Some organizations publish formal value statements and print them for display in lobbies, offices, and conference rooms.
Every organization also has a risk culture, which affects how the organization does what with risk?
Where does it come from?
Every organization also has a risk culture, which affects how the organization
* Deals with risk
* How it treats risk over time.
This culture is developed from several sources.
First, it can come from the organization’s leadership, based on their business and management philosophies, attitudes, education, and experience.
It can also come from the organization’s governance.
Remember that governance essentially comprises the rules and regulations imposed on the organization by either external entities (in the form of laws, for example) or internally by the organization itself. As discussed, risk tolerance and risk appetite support the culture. organizational risk culture.
What is the goal of the organization’s cybersecurity steering comittee?
Reading between the lines, the primary mission of a security steering committee is to identify and resolve conflicts and to maximize the effectiveness of the security program, as balanced among other business initiatives and priorities.
Governance is usually undertaken through a steering committee that consists of executives from throughout the organization. The steering committee is responsible for setting overall strategic direction and policy, ensuring that security strategy aligns with the organization’s IT and business strategy and objectives. The directives of the steering committee are carried out through projects and tasks that steer the security organization toward strategic objectives. The steering committee can monitor progress through metrics and a balanced scorecard.
Security governance is accomplished using the same means as IT governance: it begins with board-level involvement that sets the tone for risk appetite and is carried out through the chief information security officer,
Security governance is accomplished using the same means as IT governance: it begins with board-level involvement that sets the tone for risk appetite and is carried out through the chief information security officer, who develops security and privacy policies, as well as strategic security programs, including software assurance, change management, vendor management, configuration management, incident management, vulnerability management, security awareness training, and identity and access management.
For an information security program to be successful, it must ….
align with the business and its overall mission, goals and objectives, and strategy.
The security program must consider the organization’s notion of asset value, culture, risk tolerance/appetite, legal obligations, and market conditions.
A successful and aligned security program does not lead the organization but enables and supports it to carry out its mission and pursue its goals.
Security governance is used to establish roles and responsibilities for:
Where are the roles and responsibilities defined?
Security governance is used to establish roles and responsibilities for security-related activities throughout all layers of the organization, from the board of directors to individual staff.
Roles and responsibilities are defined in job descriptions, policy and process documents, and RACI charts.
The security steering committee is responsible for
The security steering committee is responsible for security strategic planning.
The security steering committee will develop and approve security policies and appoint managers to develop and maintain processes, procedures, and standards, all of which should align with one another and with the organization’s overall mission, strategy, goals, and objectives.
What does the CISO do?
The CISO develops business-aligned security strategies that support the organization’s overall mission and goals and is responsible for the organization’s overall security program, including policy development, risk management, and perhaps some operational activities such as vulnerability management, incident management, access management, and security awareness training. In some organizations, the topmost security executive has the title of chief security officer or chief information risk officer.
What does the Chief Privacy Officer do?
The chief privacy officer is responsible for the protection and proper use of sensitive personal information (often referred to as personally identifiable information). The CPO’s information protection responsibilities are sometimes shared with the CISO, who has overall information protection responsibilities. The chief compliance officer is responsible for a broad range of compliance tracking and reporting.
What is a strategy?
What is the purpose of a strategy?
While a specific strategy itself may be complex, the concept of a strategy is quite simple: it can be defined as the plan to achieve an objective.
The effort to build a strategy requires more than saying those six words. Again, however, the idea is not complicated. The concept is this:
Understand where you are now and where you want to be.
The strategy is the path you have outlined, communicated, and documented that the organization will follow to get from where you are (current state) to where you want to be (strategic objective).
What are the objectives of a stratgegy?
The security objectives are the desired future state of the organization’s security posture and level of risk.
There are, in addition, objectives of a strategy. These objectives are as follows:
*Business alignmentThe desired future state, and the strategy to get there, must be in alignment with the organization and its strategy and objectives.
*Risk appetite alignmentAn organization’s information security program implicitly drives an organization toward a specific level of risk, which may or may not align with the organization’s true level of risk appetite.
*Effective risk managementA security program must include a risk management policy, processes, and procedures. Without effective risk management, decisions are made blindly without regard to their consequences or level of risk.
*Value deliveryThe desired future state of a security program should include a focus on continual improvement and increasing efficiency. No organization has unlimited funds for security; instead, organizations need to reduce risk at the lowest reasonable cost.
*Resource optimizationSimilar to value delivery, strategic goals should efficiently utilize available resources. Among other things, this means having only the necessary staff and tools to meet strategic objectives.
*Performance measurementAlthough it is important for strategic objectives to be SMART (specific, measurable, achievable, relevant, and time-related), the ongoing security and security-related business operations should themselves be measurable, giving management an opportunity to drive continual improvement.
*Assurance process integrationOrganizations typically operate one or more separate assurance processes in silos that are not integrated. An effective strategy would work to break down these silos and consolidate assurance processes, reducing hidden risks.
What are the parts of strategy resources?
Before a strategy can be developed, it is first necessary to understand everything that is in place currently. A strategy describes how goals and objectives are to be met. Without knowing the starting place of a journey, it is not possible to chart a course to the journey’s destination. Before future security capabilities can be mapped out, it’s necessary to understand an organization’s current state and capabilities.
The differences can be seen as a gap that needs to be filled, whether that means employing tools, technologies, skills, policies, or practices.
Policy Development
The execution of a security strategy may result in additions or improvements in its security-related capabilities. These additions or improvements may require that one or more security policies be updated to reflect the new or improved capabilities.
It is a common practice to structure the organization’s security policy using one or more relevant standards or frameworks, though this is not generally required for most industries. Common standards and frameworks used in this way include:
- NIST SP 800-53
- NIST SP 800-171 and NIST SP 800-172
- ISO/IEC 27001 and ISO/IEC 27002
- COBIT (formerly, Control Objectives for Information and Related Technologies)
- HIPAA/HITECH (Health Insurance Portability and Accountability Act/Health Information Technology for Economic and Clinical Health)
- PCI DSS (Payment Card Industry Data Security Standard)
- CIS CSC (Center for Internet Security Critical Security Controls)
Difference between Governance framework and control frameworks
Information Governance Frameworks and Standards
It is not necessary for organizations to develop governance models from scratch: plenty of mature models are available to adapt to individual organization needs. Like other types of models, organizations are expected to consider tailoring a standard framework to align with the organization and its business model, practices, and culture.
Security professionals often confuse governance frameworks with control frameworks. While the two are related, they are distinct and different from each other. Governance frameworks involve activities to ensure that executives are in control of the organization and that they are adequately informed. Control frameworks involve IT, security, and privacy controls, the detailed statements describing desired outcomes that are examined for proper design and effectiveness.
Information security governance efforts should integrate with what other corporate governance programs to support both?
business goals
security strategy.
Why should organizations draw on existing governance frameworks, such as xx and xxx
COBIT and the ISO standards, to avoid redundant effort and to align with industry best practices.
What is the difference between policies, standards, procedures, and guidelines?
Policies are high-level statements of management intent for the information security program.
Standards describe the detailed implementation requirements for policies.
Procedures offer step-by-step instructions for carrying out security activities.
Compliance with policies, standards, and procedures is mandatory.
Guidelines offer optional advice that complements other elements of the policy framework.
Information security governance typically focuses on several key processes, which include:
- personnel management, sourcing,
- risk management
- configuration management
- change management
- access management
- vulnerability management
- incident management
- Business continuity planning
Another key component is establishing an effective organizational structure and clear statements of roles and responsibilities
Information security governance typically focuses on several key processes, which include:
- personnel management, sourcing,
- risk management
- configuration management
- change management
- access management
- vulnerability management
- incident management
- Business continuity planning
Another key component is establishing an effective organizational structure and clear statements of roles and responsibilities
What are the influencers of your cybersecurity heirarchical framework and where do they fit in?
Control Objectives
Policies
https://www.complianceforge.com/free-guides/hierarchical-cybersecurity-governance-framework/
What are the documents inside a Business Case?
Problem statement This is a description of the business condition or situation that the initiative is designed to solve. The condition may be a matter of compliance, a finding in a risk assessment, or a capability required by a customer, partner, supplier, or regulator.
- Current state This is a description of the existing conditions related to the initiative.
- Desired state This describes the future state of the relevant systems, processes, or staff.
- Success criteria These are the defined items that the program will be measured against.
- Requirements This is a list of required characteristics and components of the solution that will remedy the current state and bring about the desired future state.
- Approach This describes the proposed steps that will result in the desired future state. This section may include alternative approaches that were considered, with reasons why they were not selected. If the initiative requires the purchase of products or professional services, business cases may include proposals from vendors. Alternatively, the business case may include a request for proposal (RFP) or a request for information (RFI) that will be sent to selected vendors for additional information.
- Plan This includes costs, timelines, milestones, vendors, and staff associated with the initiative.
What do the roles or title of risk manager, policy manager, or controls manager do?
*Risk managerThis person is responsible for performing risk assessments and maintaining the risk register.
*Policy managerThis position is responsible for maintaining security and privacy policy documents and related information. This person works closely with the risk manager, identifying risks that may identify the need for new and updated policy.
*Controls managerThis position is responsible for maintaining security controls, advising control owners on responsibilities and expectations, and assessing controls for effectiveness.
What does the role of Security awareness training
This person is responsible for developing and delivering content of various types to enable the workforce to understand their information security and privacy responsibilities.
How would you measure the maturity of a process?
Capability maturity models are useful tools for understanding the maturity level of a process. Maturity models in other technology disciplines have also been developed, such as the Systems Security Engineering Capability Maturity Model (SSE-CMM).
Software Engineering Institute (SEI) at Carnegie Mellon University accomplished a great deal with its development of the Capability Maturity Model Integration for Development (CMMI-DEV).
The CMMI-DEV uses five levels of maturity to describe the formality of a process:
*Level 1: InitialThis represents a process that is ad hoc, inconsistent, unmeasured, and unrepeatable.
*Level 2: RepeatableThis represents a process that is performed consistently and with the same outcome. It may or may not be well-documented.
*Level 3: DefinedThis represents a process that is well-defined and well-documented.
*Level 4: ManagedThis represents a quantitatively measured process with one or more metrics.
*Level 5: OptimizingThis represents a measured process that is under continuous improvement.
How do you assign a maturity level to all your processes?
Each control or process may have its own maturity level.
It is neither common nor prudent to assign a single maturity level target for all controls and processes. Instead, organizations with skilled strategists can determine the appropriate level of maturity for each control and process.
They need not all be the same. Instead, it is more appropriate to use a threat-based or risk-based model to determine an appropriate level of maturity for each control and process. Some will be 2, some will be 3, some will be 4, and a few may even be 5.
What is the primary cause of the failure of information security programs?
Failed governance
In the majority of cases, failed governance has resulted in ineffective information security programs. Without proper governance, a program may be directionless and ineffective, and may not align with the business.
To be successful, security governance needs to be raised to what level in an organization?
For security governance to be effective, the board of directors needs to be involved.
During strategy development, a security manager wants to understand the level of capabilities of current functions in the security team. What information should the security manager examine?
A security manager would use a maturity model such as SEI-CMMI to understand the level of capability for functions in a security program.
A security manager wants to enact several strategic improvements in the organization and needs to sell these ideas to executives. What type of documents should the security manager develop?
A business case describes a business problem, the current state, the desired end state, and the required resources in business terms suitable for executive audiences.
Executive leadershi in an organization is uninterested in cybersecurity. A CISO’s best course of action is:
The best way to engage executive leadership in an organization is to understand the business from their perspective and to discuss information risk in business terms that they will understand.
A CISO is attempting to develop a strategy to align with the business. How should the CISO proceed?
The best way to align to the business is through face-to-face discussions with business unit leaders. Any written artifacts could be outdated or incomplete.
What is a typical Cybersecurity organizational structure?
SWOT analysis is a technique commonly used by organizations to assess their current state and develop their forward-looking strategy. SWOT is an acronym describing the four major elements of the analysis:
Strengths are internal characteristics of the organization that provide it with an advantage toward achieving its goals/mission. For example, a cybersecurity team might consider its cybersecurity awareness program as a strength if it is particularly effective.
Weaknesses are internal characteristics of the organization that place it at a disadvantage toward achieving its goals/mission. For example, a cybersecurity team might identify the lack of application security skills as a weakness.
Opportunities are external factors that the organization might exploit to better achieve its goals/mission. For example, a cybersecurity team might consider the use of managed service providers as an opportunity to relieve the burden on the team and focus their work on value-added activities.
Threats are external factors that might jeopardize the organization’s ability to achieve its goals/mission. For example, a new privacy law passed by a jurisdiction within which the company operates might pose a threat to the organization.
Maturity Models
In addition to performing an objectives-based gap analysis, organizations may use maturity models to assess the state of their IT organization against industry best practices. ISACA offers the Capability Maturity Model Integration (CMMI) as a method to assess maturity of an organization. The use of these models is particularly common in software development efforts and in U.S. government contracting work, but the model may also be applied to security and other processes.
Tokenization
Replaces sensitive values with a unique identifier using a lookup table. For example, we might replace a widely known value, such as a student ID, with a randomly generated 10-digit number. We’d then maintain a lookup table that allows us to convert those back to student IDs if we need to determine someone’s identity. Of course, if you use this approach, you must keep the lookup table secure!
