Information Security Governance

Question 1

Security governance is supported by the documents

Answer 1

ISO/ICE 17799 (ISO 27002), British Standard 77 99 (ISO 27001), ISACA CobiT, NIST SP 800-55, 800-26, 800-12

Question 2

Governance is the process by …

Answer 2

governments are selected, held accountable, monitored, and replaced.

Question 3

Corporate governance is …

Answer 3

a set of relationships among the organization’s management, board, stakeholders.

Question 4

Corporate governance provides …

Answer 4

objectives, means, and ability to monitoring

Question 5

An effective security governance has four components:

Answer 5

1) Establish the responsibilities for each group of management and employees, 2) establish practical security policies and procedures backed by the authority, 3) ability to capture and provide meaningful information on program effectiveness, and 4) periodic analysis of the program.

Question 6

Maturity level 1 of security program

Answer 6

Control objectives have been documented in a policy

Question 7

Maturity level 2 of security program

Answer 7

Security control processes have been documented in procedures

Question 8

Maturity level 3 of security program

Answer 8

Supporting procedures have been implemented.

Question 9

Maturity level 4 of security program

Answer 9

Policies, procedures, and controls are tested and reviewed to ensure continued adequacy

Question 10

Maturity level 5 of security program

Answer 10

Procedures and controls are fully integrated into the culture of the organization.

Question 11

The information strategy must address three key concepts …

Answer 11

Identification, authentication, and authorization

Question 12

Authorization shall follow two key elements …

Answer 12

Need to know and least privilege.

Question 13

Effective security strategy requires at a minimum of five key elements …

Answer 13

Policies, procedures, authentication, authorization, and recovery plan.

Question 14

An effective information security strategy requires four types of controls …

Answer 14

preventive, detective, containment, and recovery.

Question 15

Business Continuity Planning, BCP, is a corporate requirement and must be integrated with

Answer 15

the IT Disaster Recovery Plan (DRP).

Question 16

Business Continuity Plan (BCP) Purpose

Answer 16

Provide procedures for sustaining essential business operations while recovering from a significant disruption.

Question 17

Business Recovery (Resumption) Plan (BRP) Purpose

Answer 17

Provide procedures for recovering business operations immediately following a disaster.

Question 18

Continuity of Operations Plan (COOP) Purpose

Answer 18

Provide procedures and capabilities to sustain an organization’s essential, strategic functions at an alternate site for up to 30 days.

Question 19

Crisis Communications Plan (CCP) Purpose

Answer 19

Provide procedures for disseminating status reports to personnel and the public.

Question 20

Cyber Incident Response Plan (CIRP) Purpose

Answer 20

Provide strategies to detect, respond to, and limit the consequences of malicious cyber incidents.

Question 21

Disaster Recovery Plan (DRP) Purpose

Answer 21

Provide detailed procedures to facilitate recovery of capabilities at an alternate site.

Question 22

Emergency Response Plan (ERP) Purpose

Answer 22

Provide coordinated procedures for minimizing loss of life or injury and protecting property damage in response to a physical threat.

Question 23

Contingency Plans - which one of the scopes is IT-related?

Answer 23

BCP, CIRP, DRP, and ERP.

Question 24

The cyber incident response plans include …

Answer 24

the normal day-to-day activities and when they have a need for recovery you need to have procedures in place to do them in a structured and formatted manner and not ad hoc.

Question 25

The emergency response plan stabilizes …

Answer 25

the environment and ensures the safety of the employees.

Question 26

The SLA should include things such as …

Answer 26

the time that it’s going to be run, from what period to what period; you’ll talk about recovery requirements, backup requirements, and when it has to be up.

Question 27

Due diligence is the process of …

Answer 27

systematically evaluating information to identify risks and issues relating to a proposed transaction.

Question 28

Roles and Responsibilities of a Senior Management …

Answer 28

is charged with the ultimate responsibility for
meeting business objectives or mission requirements. Senior management must ensure that necessary resources are effectively applied to develop the capabilities to meet the mission requirement.

Question 29

Roles and Responsibilities of a Chief Information Security Officer (CISO) …

Answer 29

The CISO is responsible for the organization’s planning, budgeting, and performance including its information security components.

Question 30

Roles and Responsibilities of an Information Owner …

Answer 30

for ensuring that proper controls are in place to address integrity, confidentiality, and availability of the information resources of which they are assigned ownership.

Question 31

Roles and Responsibilities of a Business Manager …

Answer 31

for making cost-benefit decisions essential to ensure accomplishment of organization mission objectives. Their involvement in the risk management process enables the selection of business-oriented controls.

Question 32

Roles and Responsibilities of an Information Security Officer …

Answer 32

The security program manager is responsible for the organization’s security programs, including risk management.

Question 33

37

Answer 33

37