IS Governance Flashcards

1
Q

How can a Legal team stay up to date on new laws and regulations concerning information security and privacy?

A

Subscribe to a service that publishes updates on new and changing laws and regulations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the most effective way in conveying the status of an organization’s security program to executive management?

A

Key risk indicators (KRIs)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Explain the different between policies, standards, guidelines, and procedures.

A

Policies are overarching assertions of acceptable actions. Standards establish an acceptable level of attainment or quality. Procedures explain how to perform a process and a guideline, which is optional determines a recommended course of action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What metrics would best show progress on a new SIEM implementation?

A

% of log sources sending log data and number of use-cases developed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Define the term Information Security Governance

A

A process, or set of processes, where senior management exerts strategic control over business functions through policies, objectives, delegation of authority, monitoring, and reporting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the best way to determine tailgating at a building with card readers?

A

Observe employee behavior using video surveillance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which member of a cyber risk steering committee should have veto power for specific cyber-risk decisions?

A

The business owner for a relevant business process or system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Name the CMMI levels

A

Initial, repeatable, defined, managed, optimizing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Name the elements of a business case

A

Description of current state, desired state, success criteria, requirements, constraints, approach, and plan.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the purpose of an information security steering committee?

A

Ensure alignment of the information security program with current and future business needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What should inform a CISO of new 3rd party service providers?

A

IT, Legal, and Procurement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is FAIR?

A

Factor Analysis of Information Risk is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of data loss events. The taxonomy takes a risk and breaks it down into 2 branches of a decision tree called Loss Event Frequency and Loss Magnitude

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is NIST 800-30?

A

NIST 800-30 is a framework meant to provide guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in Special Publication 800-39

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is ISO 27001?

A

A framework for management of an information security management system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following is the norm for frequency of security awareness training?

A

At the time of hire and annually thereafter

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is CIS?

A

Critical Security Controls, a comprehensive but more lightweight controls framework

17
Q

What is the ISACA Code of Ethics

A
  1. Support the implementation of, and encourage compliance with, appropriate standards and procedures for the effective governance and management of enterprise information systems and technology, including: audit, control, security and risk management.
  2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards.
  3. Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and character, and not discrediting their profession or the Association.
  4. Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
  5. Maintain competency in their respective fields and agree to undertake only those activities they can reasonably expect to complete with the necessary skills, knowledge and competence.
  6. Inform appropriate parties of the results of work performed including the disclosure of all significant facts known to them that, if not disclosed, may distort the reporting of the results.
  7. Support the professional education of stakeholders in enhancing their understanding of the governance and management of enterprise information systems and technology, including: audit, control, security and risk management.
18
Q

What is the information security governance flow?

A

Business vision > business strategy > business objectives > IT strategy > IT security strategy > security policy > security standards > security processes > security metrics

19
Q

What does GRC stand for?

A

Governance: Generating tools and strategies needed to ensure that personnel follow established policies and procedures

Risk Management: Manage risk to acceptable levels

Compliance: Monitoring and reporting on the policies, procedures, and mechanisms necessary to adhere to regs and mandates from authorities

20
Q

What are security relationships to business goals?

A

Enhance profitability, gain market share, increase stock price, expand to new areas, attract new customers, and beat competitors to market

21
Q

What is a KGI?

A

Key goal indicators. Retroactively telling management if IT processes have met goals

22
Q

What is a KPI

A

Key performance indicators. Tests how processes are performing in reaching goals

23
Q

What is a KRI

A

Key risk indicator. Measures that indicate when an org is subject to risk beyond established residual risk

24
Q

What is BMIS?

A

Business model for InfoSec. People, Process, Technology triad with Organization at the apex.

25
Q

In BMIS, how are People and Process connected through a Dynamic Interconnection (DI)?

A

Emergence

26
Q

In BMIS, how are People and Technology connected through a Dynamic Interconnection (DI)?

A

Human Factors

27
Q

In BMIS, how are Technology and Process connected through a Dynamic Interconnection (DI)?

A

Enabling and Support

28
Q

In BMIS, how are People and Organization connected through a Dynamic Interconnection (DI)?

A

Culture

29
Q

In BMIS, how are Organization and Technology connected through a Dynamic Interconnection (DI)?

A

Architecture

30
Q

In BMIS, how are Organization and Process connected through a Dynamic Interconnection (DI)?

A

Governing

31
Q

What is the Zachman Framework?

A

Systems and environments are described at a high functional level and then in increasing detail, encompassing systems

32
Q

What is TOGAF

A

The Open Architecture Framework. A life cycle enterprise architecture framework used for designing, planning, implementing, and governing an enterprise technology architecture.

33
Q

What are the 6 types of loss in FAIR?

A
  1. Productivity
  2. Response
  3. Replacement
  4. Competitive advantage
  5. Fines
  6. Reputation
34
Q

What is FRAP?

A

Facilitated Risk Analysis Process

35
Q

What is Safe Harbor

A

Privacy principles that become obsolete in 2016 and was overridden by Privacy Shield

36
Q

What is Privacy Shield?

A

Used by US organizations to choose to self-attest their compliance to GDPR. A framework for regulating data exchanges between the EU and the US. Supersedes Safe Harbor

37
Q

What are Binding Corporate Rules?

A

Principles used in multinational orgs’ compliance to GDPR for the protection of internally transferred PII (aka HR data).