Information Security Governance Flashcards
Security governance is supported by the documents
ISO/ICE 17799 (ISO 27002), British Standard 77 99 (ISO 27001), ISACA CobiT, NIST SP 800-55, 800-26, 800-12
Governance is the process by …
governments are selected, held accountable, monitored, and replaced.
Corporate governance is …
a set of relationships among the organization’s management, board, stakeholders.
Corporate governance provides …
objectives, means, and ability to monitoring
An effective security governance has four components:
1) Establish the responsibilities for each group of management and employees, 2) establish practical security policies and procedures backed by the authority, 3) ability to capture and provide meaningful information on program effectiveness, and 4) periodic analysis of the program.
Maturity level 1 of security program
Control objectives have been documented in a policy
Maturity level 2 of security program
Security control processes have been documented in procedures
Maturity level 3 of security program
Supporting procedures have been implemented.
Maturity level 4 of security program
Policies, procedures, and controls are tested and reviewed to ensure continued adequacy
Maturity level 5 of security program
Procedures and controls are fully integrated into the culture of the organization.
The information strategy must address three key concepts …
Identification, authentication, and authorization
Authorization shall follow two key elements …
Need to know and least privilege.
Effective security strategy requires at a minimum of five key elements …
Policies, procedures, authentication, authorization, and recovery plan.
An effective information security strategy requires four types of controls …
preventive, detective, containment, and recovery.
Business Continuity Planning, BCP, is a corporate requirement and must be integrated with
the IT Disaster Recovery Plan (DRP).
Business Continuity Plan (BCP) Purpose
Provide procedures for sustaining essential business operations while recovering from a significant disruption.
Business Recovery (Resumption) Plan (BRP) Purpose
Provide procedures for recovering business operations immediately following a disaster.
Continuity of Operations Plan (COOP) Purpose
Provide procedures and capabilities to sustain an organization’s essential, strategic functions at an alternate site for up to 30 days.
Crisis Communications Plan (CCP) Purpose
Provide procedures for disseminating status reports to personnel and the public.
Cyber Incident Response Plan (CIRP) Purpose
Provide strategies to detect, respond to, and limit the consequences of malicious cyber incidents.
Disaster Recovery Plan (DRP) Purpose
Provide detailed procedures to facilitate recovery of capabilities at an alternate site.
Emergency Response Plan (ERP) Purpose
Provide coordinated procedures for minimizing loss of life or injury and protecting property damage in response to a physical threat.
Contingency Plans - which one of the scopes is IT-related?
BCP, CIRP, DRP, and ERP.
The cyber incident response plans include …
the normal day-to-day activities and when they have a need for recovery you need to have procedures in place to do them in a structured and formatted manner and not ad hoc.
The emergency response plan stabilizes …
the environment and ensures the safety of the employees.
The SLA should include things such as …
the time that it’s going to be run, from what period to what period; you’ll talk about recovery requirements, backup requirements, and when it has to be up.
Due diligence is the process of …
systematically evaluating information to identify risks and issues relating to a proposed transaction.
Roles and Responsibilities of a Senior Management …
is charged with the ultimate responsibility for
meeting business objectives or mission requirements. Senior management must ensure that necessary resources are effectively applied to develop the capabilities to meet the mission requirement.
Roles and Responsibilities of a Chief Information Security Officer (CISO) …
The CISO is responsible for the organization’s planning, budgeting, and performance including its information security components.
Roles and Responsibilities of an Information Owner …
for ensuring that proper controls are in place to address integrity, confidentiality, and availability of the information resources of which they are assigned ownership.
Roles and Responsibilities of a Business Manager …
for making cost-benefit decisions essential to ensure accomplishment of organization mission objectives. Their involvement in the risk management process enables the selection of business-oriented controls.
Roles and Responsibilities of an Information Security Officer …
The security program manager is responsible for the organization’s security programs, including risk management.
37
37