Information Secirity Governance Flashcards
Values
Ethics: What we believe in
Principles: what we adhere to
Beliefs: what we stand for
Vision
What we aspire to be
Hope and ambition
Should be clearly defined for entire org
Mission
What the purpose of the org
Who do we do it for
Motivation and Purpose
Strategic Objectives
Plans, goals and sequencing
Where we make the plans, goals, order all activities that we have that can help us fulfill our mission
Strategic Plan
Long term plan made by senior leadership
Example: insource IT and build a best in class IT org with procedures and policies
Tactical
Usually completed by management.1 year project, acquisition, hiring, budgets. Example: 1st year we need to do this figure out budget for each year, how many people to hire
Operational
Usually completed by the staff. Highly detailed and updated frequently. Examples: how do hire a server team, networking team, streamline workstation servers
Policies
Are mandatory; don’t change that much; high level non specific.
Types of policies
Regulatory- have to follow based on industry
Advisory- outlines behaviors and activities that are acceptable or not acceptable in our organization
Informational- there to inform people
Standards
Mandatory; more detailed than policies; describes a specific use of technology ( all laptops are W10, 64bit, 8gig memory)
Guidelines
Non mandatory; recommendations, discretionary; suggestions on how you would to it
Procedures
Mandatory; low level step by step guides, very specific; can contain the OS, encryption type, vendor technology
Baseline(Benchmarks)
Mandatory; benchmarks for server hardening, apps, network. Minimum requirements, we can implement stronger if needed. Need to implement the same security posture across the organization meaning servers in the same protection profile having the same baselines
