IS Governance

Question 1

How can a Legal team stay up to date on new laws and regulations concerning information security and privacy?

Answer 1

Subscribe to a service that publishes updates on new and changing laws and regulations.

Question 2

What is the most effective way in conveying the status of an organization’s security program to executive management?

Answer 2

Key risk indicators (KRIs)

Question 3

Explain the different between policies, standards, guidelines, and procedures.

Answer 3

Policies are overarching assertions of acceptable actions. Standards establish an acceptable level of attainment or quality. Procedures explain how to perform a process and a guideline, which is optional determines a recommended course of action.

Question 4

What metrics would best show progress on a new SIEM implementation?

Answer 4

% of log sources sending log data and number of use-cases developed.

Question 5

Define the term Information Security Governance

Answer 5

A process, or set of processes, where senior management exerts strategic control over business functions through policies, objectives, delegation of authority, monitoring, and reporting.

Question 6

What is the best way to determine tailgating at a building with card readers?

Answer 6

Observe employee behavior using video surveillance

Question 7

Which member of a cyber risk steering committee should have veto power for specific cyber-risk decisions?

Answer 7

The business owner for a relevant business process or system

Question 8

Name the CMMI levels

Answer 8

Initial, repeatable, defined, managed, optimizing

Question 9

Name the elements of a business case

Answer 9

Description of current state, desired state, success criteria, requirements, constraints, approach, and plan.

Question 10

What is the purpose of an information security steering committee?

Answer 10

Ensure alignment of the information security program with current and future business needs.

Question 11

What should inform a CISO of new 3rd party service providers?

Answer 11

IT, Legal, and Procurement

Question 12

What is FAIR?

Answer 12

Factor Analysis of Information Risk is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of data loss events. The taxonomy takes a risk and breaks it down into 2 branches of a decision tree called Loss Event Frequency and Loss Magnitude

Question 13

What is NIST 800-30?

Answer 13

NIST 800-30 is a framework meant to provide guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in Special Publication 800-39

Question 14

What is ISO 27001?

Answer 14

A framework for management of an information security management system

Question 15

Which of the following is the norm for frequency of security awareness training?

Answer 15

At the time of hire and annually thereafter

Question 16

What is CIS?

Answer 16

Critical Security Controls, a comprehensive but more lightweight controls framework

Question 17

What is the ISACA Code of Ethics

Answer 17

1. Support the implementation of, and encourage compliance with, appropriate standards and procedures for the effective governance and management of enterprise information systems and technology, including: audit, control, security and risk management.
2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards.
3. Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and character, and not discrediting their profession or the Association.
4. Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
5. Maintain competency in their respective fields and agree to undertake only those activities they can reasonably expect to complete with the necessary skills, knowledge and competence.
6. Inform appropriate parties of the results of work performed including the disclosure of all significant facts known to them that, if not disclosed, may distort the reporting of the results.
7. Support the professional education of stakeholders in enhancing their understanding of the governance and management of enterprise information systems and technology, including: audit, control, security and risk management.

Question 18

What is the information security governance flow?

Answer 18

Business vision > business strategy > business objectives > IT strategy > IT security strategy > security policy > security standards > security processes > security metrics

Question 19

What does GRC stand for?

Answer 19

Governance: Generating tools and strategies needed to ensure that personnel follow established policies and procedures

Risk Management: Manage risk to acceptable levels

Compliance: Monitoring and reporting on the policies, procedures, and mechanisms necessary to adhere to regs and mandates from authorities

Question 20

What are security relationships to business goals?

Answer 20

Enhance profitability, gain market share, increase stock price, expand to new areas, attract new customers, and beat competitors to market

Question 21

What is a KGI?

Answer 21

Key goal indicators. Retroactively telling management if IT processes have met goals

Question 22

What is a KPI

Answer 22

Key performance indicators. Tests how processes are performing in reaching goals

Question 23

What is a KRI

Answer 23

Key risk indicator. Measures that indicate when an org is subject to risk beyond established residual risk

Question 24

What is BMIS?

Answer 24

Business model for InfoSec. People, Process, Technology triad with Organization at the apex.

Question 25

In BMIS, how are People and Process connected through a Dynamic Interconnection (DI)?

Answer 25

Emergence

Question 26

In BMIS, how are People and Technology connected through a Dynamic Interconnection (DI)?

Answer 26

Human Factors

Question 27

In BMIS, how are Technology and Process connected through a Dynamic Interconnection (DI)?

Answer 27

Enabling and Support

Question 28

In BMIS, how are People and Organization connected through a Dynamic Interconnection (DI)?

Answer 28

Culture

Question 29

In BMIS, how are Organization and Technology connected through a Dynamic Interconnection (DI)?

Answer 29

Architecture

Question 30

In BMIS, how are Organization and Process connected through a Dynamic Interconnection (DI)?

Answer 30

Governing

Question 31

What is the Zachman Framework?

Answer 31

Systems and environments are described at a high functional level and then in increasing detail, encompassing systems

Question 32

What is TOGAF

Answer 32

The Open Architecture Framework. A life cycle enterprise architecture framework used for designing, planning, implementing, and governing an enterprise technology architecture.

Question 33

What are the 6 types of loss in FAIR?

Answer 33

1. Productivity
2. Response
3. Replacement
4. Competitive advantage
5. Fines
6. Reputation

Question 34

What is FRAP?

Answer 34

Facilitated Risk Analysis Process

Question 35

What is Safe Harbor

Answer 35

Privacy principles that become obsolete in 2016 and was overridden by Privacy Shield

Question 36

What is Privacy Shield?

Answer 36

Used by US organizations to choose to self-attest their compliance to GDPR. A framework for regulating data exchanges between the EU and the US. Supersedes Safe Harbor

Question 37

What are Binding Corporate Rules?

Answer 37

Principles used in multinational orgs’ compliance to GDPR for the protection of internally transferred PII (aka HR data).